How to enable HSTS (HTTP Strict Transport Security) in the response header
HSTS stands for HTTP Strict Transport Security and is a security header that was created as a way to force the browser to use secure connections when a website is running over HTTPS.
When a user connects to a website using HTTPS, the website then encrypts the session with an SSL (secure sockets layer) certificate. One of the drawbacks associated with HTTPS is that it is not completely hacker-proof: it leaves your site open to SSL stripping. This is often the case with 301 redirects if a website relies on 301 redirects to switch from HTTP to HTTPS. While this may not seem like a big deal, it’s those few milliseconds in between that you really need to worry about, because they leave your site vulnerable to hackers trying to strip your SSL certificate. The solution to this problem is to add a Strict Transport Security response header.
Some hosting services already have a defined location where you can enable or disable this feature with one click.
Another way to enable this feature is through the .htaccess file. To do this, you must insert the following line in your .htaccess file:
RewriteEngine On
Header set Strict-Transport-Security: max-age=16070400; includeSubDomainsOnce the line is inserted into the file, clear the cache and monitor the result via Google DevTools with F12.
You can also use the following websites to test and confirm that HSTS is working.
Here is site 1 for HSTS test 1. The expected result is shown in the image below:
Here is site 2 for HSTS test Test 2. The expected result is shown in the image below:
Once this is done, your website will be more secure and your score will be higher.