What is HSTS?
HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should interact with it using only secure HTTPS connections, and never via the insecure HTTP protocol.
What is required?
In order for HSTS to function, you must have:
- an SSL certificate (included and pre-installed for free by default for all Hetzner domains)
- a forced redirect to HTTPS setup on the domain.
How to activate
HSTS can be set up on a domain by adding the following code to the .htaccess file of the domain:
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS