How to enable HSTS on third-party servers

Let us perform a general overview of the HSTS Policy implementation for the most widespread server types. The following guidelines will be useful for web administrators who have the root access to the servers’ configuration files.

On Nginx, the HSTS Header field needs to be added to the corresponding Virtual Host record. It begins with “add_header” parameter and all of the directives of the header are enveloped by single quotes, like in the example below:

add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';

Apache administrators should update the configuration file with the HSTS header beginning with “Header always set” parameter” and the header’s directives should be enveloped by double quotes. The example is given below:

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"

On Microsoft servers running IIS (Internet Information Services) the code, specified below, needs to be added to the central “web.config” file (without the spaces after < signs in the beginning of the lines):

< httpProtocol>
< customHeaders>
< add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains; preload "/>
< /customHeaders>
< /httpProtocol>

Comments

We welcome your comments, questions, corrections and additional information relating to this article. Your comments may take some time to appear. Please be aware that off-topic comments will be deleted.

If you need specific help with your account, feel free to contact our Support Team. Thank you.

Need help? We're always here for you.

× Close