Prerequisites
Before enabling HSTS, make sure you have:
- A valid SSL certificate installed
- SSH access to your VPS
⚠️ HSTS tells browsers to ALWAYS use HTTPS. Test thoroughly before enabling!
What is HSTS?
HTTP Strict Transport Security forces browsers to only connect via HTTPS, preventing SSL stripping attacks.
Enable HSTS via HestiaCP Web Interface
Step 1: Log in to HestiaCP
https://YOUR_SERVER_IP:8083Step 2: Navigate to WEB Section
Click on your domain → SSL tab.
Step 3: Enable HSTS
Toggle HSTS switch to ON.
Set Max Age (seconds):
- 31536000 (1 year) - Recommended for production
- 2592000 (30 days) - For testing
Optional: Enable Include Subdomains to apply HSTS to all subdomains.
Step 4: Save
Click Save to apply.
Enable HSTS via Nginx Configuration (Manual)
Edit Nginx domain config:
nano /home/admin/conf/web/nginx.example.com.confAdd inside server block:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;Restart Nginx:
systemctl restart nginxEnable HSTS in Apache (.htaccess)
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"HSTS Preload List Submission
To get your domain added to browser preload lists:
- Enable HSTS with includeSubDomains and preload directive
- Submit domain at:
https://hstspreload.org - After approval, your site will always be HTTPS-only
Verify HSTS is Working
curl -I https://example.com | grep -i strictExpected output:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadDisable HSTS
Remove the HSTS header from config and restart web server.
✅ HSTS has been enabled! Your site now forces HTTPS.