How to Enable HSTS

Enabling HTTP Strict Transport Security (HSTS) is a simple process that involves only adding a few lines with directives in the .htaccess file of your website. As a user types your website, and the browser sends a request to the server on which your website resides, the header which we will add to your .htaccess file will tell the browser that it should connect via HTTPS by default and remember this setting for the future depending on the number of seconds we put in the max-age directive of the header. In our case, we will add 31536000 seconds which amounts to one year, so if a user doesn't clean his browser's cache, that browser will connect him to your website via HTTPS by default for a period of 1 year. Alternatively, there are options to do all of this via plugins much like the premium version of Really Simple SSL for WordPress.

To add the header to your website, login to your cPanel account and navigate to the File Manager icon.

Now navigate to the directory of your hosting account in which your website resides. For most of you this will be /home/user/public_html, or if you are using a subfolder, you will also have to enter it to find your website files. Locate the .htaccess file, right click on it and select the Edit option.

Now add the following lines at the top of your .htaccess file:

<IfModule mod_headers.c>

Header set Strict-Transport-Security "max-age=31536000"

</IfModule>

To make it also compliant with the preload list requirements you need to add includeSubDomains and preload directives:

<IfModule mod_headers.c>

Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

</IfModule>

So now it should look a bit like this:

Note that for our example we are using a WordPress based website with the WP Rocket plugin enabled thus the extra lines of code in our .htaccess file. Also, don't forget to hit the Save Changes button at the top of the page and you are done.

Congratulations, you have successfully enabled HSTS for your domain.