How to set HSTS headers with .htaccess

There are more “degrees” of HSTS and the headers can be defined in .htaccess as follows:

1 – Just set the HSTS headers and max-age as standard requires:

Header always set Strict-Transport-Security "max-age=31536000"

2 – Add the HTTPS environment variable to set HSTS headers over HTTPS only:

Header set Strict-Transport-Security "max-age=31536000" env=HTTPS

3 – Set the “subdomains” to have HSTS headers set for all subdomains:

Header set Strict-Transport-Security "max-age=10886400; includeSubDomains" env=HTTPS

4 – Set “preload” instruction to have the HSTS check hardcoded in web browsers. Beware that this cannot be easily undone, and when combined with “subdomains” it will force all your future subdomains to HSTS also (you may not want this if you might have, let’s say, intranets set on subdomains in the future):

Header set Strict-Transport-Security "max-age=10886400; includeSubDomains; preload" env=HTTPS


Leave a Reply