Managing HTTP Strict Transport Security (HSTS) for Your Site

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps protect websites against protocol downgrade attacks and cookie hijacking. It instructs browsers to only connect to your site using HTTPS, ensuring all future requests are secure.

Why Enable HSTS?

• Prevents SSL stripping attacks.

• Forces browsers to use secure connections.

• Protects cookies from being intercepted.

• Improves overall trust and security of your site.

Enabling HSTS on a Ruachost Server

Method 1: Using .htaccess (Apache/LiteSpeed)

1. Log in to your hosting account via SSH or File Manager.

2. Navigate to your site’s document root (usually public_html).

3. Open or create the .htaccess file.

4. Add the following line:

   Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
   

   • max-age=31536000 → Enforces HTTPS for 1 year.

   • includeSubDomains → Applies to all subdomains.

   • preload → Allows your domain to be added to browser preload lists.

Method 2: Using Nginx

1. Log in via SSH.

2. Edit your site’s Nginx configuration file (usually in /etc/nginx/sites-available/).

3. Inside the server {} block, add:

   Nginx
   
   add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
   

    

4. Save and reload Nginx:

   Bash
   
   sudo systemctl reload nginx
   

    

Method 3: Using cPanel

• cPanel → Use the SSL/TLS → Manage Security Headers option (if available), or edit .htaccess manually.

Disabling HSTS (for Testing/Development)

If you need to disable HSTS temporarily:

1. Open .htaccess.

2. Add:

   Header always unset Strict-Transport-Security
   

    

3. Save changes. To re‑enable, remove or comment out this line.