Best practice to secure your cookies and stop downgrade attacks is HTTP Strict Transport Security (HSTS).
It prevents your website from cookie hijacking and other attacks by allowing only secure connections through HTTPS.
So, one required thing is SSL certificate and must be installed on your website.
If you don’t have SSL certificate, then you must install a one on your website.
Basically, HSTS is a header protocol which lets the browser to make secure communication through HTTPS.
Why Should I Use HSTS?
HSTS isn’t concept of 1990’s but was specified back in 2012 by IETF.
So you might ask “Why should I Use it”?
Let’s have a look at the benefits of using HSTS.
- If a user tries to view non-secure version i.e; HTTP, he will be automatically redirected to secure version.
- It can save your website cookies from attackers. Cookie hijacking can be stopped by this way.
- Doesn’t allow the overriding of invalid certificate message.
Now let’s see how we can enable it on WordPress?
How To Implement HSTS on WordPress site?
In order to add HSTS header to HTTP requests , we have to apply the directive to web server. Then the web server automatically add it to HTTP requests.
It is a kind of redirect just like 301. So, you may ask “If I have 301 redirection enabled, can I use it?“
Those of you who are worried about their SEO shouldn’t get panic. Because the Google’s Security Team officially said that you can use HSTS header with 301 redirect.
So, this Header doesn’t have only one directives but many. In the following codes we are applying one directive.
Implement HSTS in Apache
If your WordPress website runs on Apache web server, you can edit your .htaccess file.
Inside the file and on bottom, add this code.
Header always set Strict-Transport-Security max-age=31536000
Also, you can omit the word always
in above code.
Implement HSTS In NGINX
If you are running your website on NGINX, then you don’t have any .htaccess file because it isn’t Apache.
What you have to do is to find the nginx.conf (NGINX Configuration file) file.
Inside it, locate the server
block and this directive to it.
add_header Strict-Transport-Security max-age=31536000
That is how you add or implement HSTS in WordPress powered website.
Now lets see other directives.
Preload HSTS Directive
HSTS Preloading is a mechanism of enforcing the use the SSL/TLS before any connection is made.
There is a list of hosts which is compiled by big giant Google and utilize it in Chrome. Other browsers like Safari, Firefox, Opera, etc also utilize this list.
In order to get in the list, you have to submit it through this site. https://hstspreload.appspot.com/
Before submitting your website to be listed in the preload list, please do check these things. If you met these requirements then you will be added to preload list.
- Must have SSL/TLS installed.
- Serve the base domain and all sub domains over HTTPS.
- HSTS should be specified to all sub domains also.
- Must have an expiry directive (at least 1 year).
- Must have
includeSubDomains
andpreload
directive.
To do all the above things just put this line inside your .htaccess
file.
<IfModule mod_headers.c> Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS </IfModule>
Remember to remove the HSTS code in .htaccess
if you applied that earlier.
How To Verify HSTS Header?
There are different ways to check whether your site is sending HSTS Header or not.
The best way is to check through the inspect tool of web browser.
Open your base website and inspect
it.
Under the Inspect Tool, you will notice Network tab. Under it click the base domain and check Headers. A real live example is below.

Now the HSTS Header is being successfully applied to our website. Noe let’s discuss about the browsers who support it.
Browsers Who Support HSTS
Here is the list of the browsers who support HSTS.
- Chrome
- Firefox
- Edge
- Safari
- Opera
- Opera Mini
- Chrome Android
- IOS Safari
Does HSTS have any Impact On SEO?
Once your website is approved to be in the preload list, you are going to receive lots of notices regarding 307 redirects.
The reason is, your visitors are trying to view non HTTPS version but they are sent to it.
So, What is 301 AND 307?
301 Redirect: It is permanent redirection at server level.
307 Redirect: It is a temporary redirection at browser level.
Don’t worry, 301 redirects are still happening at server level but it shows 307 redirection.
So we can say “HSTS has no impact on SEO”.
This was all about How To Implement HTTP Strict Transport Security (HSTS) In WordPress.
I hope you enjoyed this tutorial. Please do share with your friends. Also, don’t forget to leave a comment and subscribe our YouTube channel.
Leave a Reply