How to Set Up HSTS

Step 1: Ensure SSL is Working

Your website must be accessible via HTTPS.

sudo nano /etc/nginx/sites-available/example.com

Inside server block:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

sudo nano /etc/apache2/conf-available/security.conf

Add:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

curl -I https://example.com | grep -i strict

⚠️ Once HSTS is set, browsers will refuse HTTP connections. Ensure HTTPS is always available.