Published: July 19, 2020
HSTS can be used to ensure that connections by people connecting to your site are encrypted and use HTTPS. If your browser tries to connect to an HSTS-enabled domain using HTTP, it would have to try requesting over HTTPS. If the HTTPS connection fails or is unavailable the connection must be terminated, preventing the transfer of data.
HSTS can also prevent connections using an invalid, fake, or self-signed certificate. While browsers normally show a warning and let you continue to the site, having HSTS enabled will not let users or attackers bypass these warnings.
To enable HSTS, simply add the following code to your NGINX config for the root domain name (and subdomains if you feel necessary):
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
If you want your domain included in the HSTS preload list, you'll go to hstspreload.org, enter your domain name into the box, and click the button labeled "Check HSTS preload status and eligibility".
For more information regarding HSTS, including how to get your domain removed from the list if you wish to do so later, visit hstspreload.org.