Hsts?

I see that NGINX isn’t that much compatible with .htaccess file. Like Apache: .htaccess | NGINX

How do I define the HSTS Response Header in .htaccess file?

RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L,E=HTTPS:1]
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
3 Likes

Hello there,

Just also wanted to point this out:
FYI: InfinityFree’s servers are hybrid and both using Nginx and Apache. Htaccess rules will work fine here.

Just insert the rule which @katufo provided above. If you want a simpler rule you can use this instead:

Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
5 Likes

Thank you for all the rules.
Redirection to HTTPS works fine, and I tested prior to implementing HSTS.
However, the even after setting this in .htaccess, which had done it already

Header always set Strict-Transport-Security "max-age=31536000" env=HTTPS

the Web Server doesn’t respond with HSTS headers.

SSL LABS Test .

It seems like it’s a subdomain you’re trying to enforce with HSTS.

See error below for more information:
Screenshot_20200614_164615

I am not trying to add to HSTS Preload List.

So what are you trying to do with HSTS exactly? Weren’t you trying to enforce strict transport security?

To enable on subdomains:

<IfModule mod_headers.c>
Header set Strict-Transport-Security “max-age=10886400; includeSubDomains; preload”
</IfModule>

Yes, I’m trying to enforce HSTS but not adding it to Preload List. The rule I replied doesn’t contain preload. The

includeSubDomains; preload

are optional.

Tried it already. Doesn’t work!

What about having your own domain instead of the epizy.com subdomain? You can a get .ml domain extension on freenom.

Yeah, I’ll try implementing this on some custom domains and will let you know. Thanks!

Simply it’s my mistake for bad at wordings that you misunderstood my reply. You cannot enforce hsts on a subdomain as far as what I’m aware, only the root domain epizy.com is. As what I’ve understand:
Screenshot_20200614_164615

1 Like

Thank you for your reply. I’ll try this with custom domain and let you know.

1 Like

Yes please do let us know, I haven’t actually used HSTS with InfinityFree so I wouldn’t know as well if it would also work with a primary domain.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.