Servers

Enabling HSTS

Avatar of Jonathan Reinink
David

Bristol WordPress expert and studio owner

Some of our clients that use Semrush for website health auditing, have reported that HSTS is now a requirement for a site to be rated as 100% HTTPS verified:

99% on semrush report

What is HSTS?

HTTP Strict Transport Security (HSTS) is a web server directive that informs user agents and web browsers how to handle its connection through a response header sent at the very beginning and back to the browser.

Taken from globalsign.com

So essentially, the server is forcing a browser to make sure all connections are secure. We primarily use NGINX servers, so here is a quick guide to get this sorted.

Setting up HSTS on NGINX

You need to gain access to your NGINX config for the particular site you want to modify. For some that will mean SSHing into the appropriate server, others it might involve logging into Server Pilot or Forge and editing the config there. We use Forge, but for SSH users, the config file can be found here /etc/nginx/sites-available/website.

Once inside the config file, you need to add this line:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

It can so anywhere in the main ‘server’ block, but it makes sense to keep it with the other header definitions. For example:

NGINX config and where to add HSTS

Once that has been added, reboot NGINX and you are done!

It’s worth re-running any auditing tools (like Semrush) to make sure the new header can be found.

100% on semrush report