Enable HSTS in .htaccess File

Mahfuz_SS_EHL

Hi,

When enabling HSTS (HTTP Strict Transport Security) via Apache Configuration in WHM Root server, I added "Header always set Strict-Transport-Security "max-age=15552000"" in Apache Configuration > Pre VirtualHost Include & it works.

But, when I try to do this via .htaccess file, it doesn't work out. I tried numerous number of methods described over Internet but none of them worked out.

Is that not working for any option in my server such that something is interfering to override apache configuration ?? Or, I'm doing mistake in .htaccess file ?

bersy

It works fine for me.

<IfModule mod_headers.c>
    Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
</IfModule>

WSS

Did you remember to add mod_headers to your config?

doghouch

@Mahfuz_SS_EHL said:
Hi,

When enabling HSTS (HTTP Strict Transport Security) via Apache Configuration in WHM Root server, I added "Header always set Strict-Transport-Security "max-age=15552000"" in Apache Configuration > Pre VirtualHost Include & it works.

But, when I try to do this via .htaccess file, it doesn't work out. I tried numerous number of methods described over Internet but none of them worked out.

Is that not working for any option in my server such that something is interfering to override apache configuration ?? Or, I'm doing mistake in .htaccess file ?

Why not do it directly in the config?

Also, I always ask this to people enabling HSTS: are you 100% sure that you want to have an age that long? You could permanently ruin your site for users that visit regularly.

Mahfuz_SS_EHL

@bersy said:
It works fine for me.

<IfModule mod_headers.c>
  Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
</IfModule>

I tried that also. Didn't work out for me.

Mahfuz_SS_EHL

@WSS said:
Did you remember to add mod_headers to your config?

You mean I need to add to the Apache Configuration ?? If you meant .htaccess, yes, I tried with mod_headers.

Mahfuz_SS_EHL

@doghouch said:

@Mahfuz_SS_EHL said:
Hi,

When enabling HSTS (HTTP Strict Transport Security) via Apache Configuration in WHM Root server, I added "Header always set Strict-Transport-Security "max-age=15552000"" in Apache Configuration > Pre VirtualHost Include & it works.

But, when I try to do this via .htaccess file, it doesn't work out. I tried numerous number of methods described over Internet but none of them worked out.

Is that not working for any option in my server such that something is interfering to override apache configuration ?? Or, I'm doing mistake in .htaccess file ?

Why not do it directly in the config?

Also, I always ask this to people enabling HSTS: are you 100% sure that you want to have an age that long? You could permanently ruin your site for users that visit regularly.

I want it to that website I'm trying to enable. That's why, I'm looking for a specific option e.g. .htaccess editing rather than implementing it directly into core configuration.

WSS

@Mahfuz_SS_EHL said:

@WSS said:
Did you remember to add mod_headers to your config?

You mean I need to add to the Apache Configuration ?? If you meant .htaccess, yes, I tried with mod_headers.

Note that says IfModule. That means IF it's enabled. Take out the IfModule stanzas, and see if it crashes. If it does, mod_headers is probably not enabled. I'd also suggest checking the logfiles, but the above is the fastest user-level way of checking without root.

Mahfuz_SS_EHL

@WSS said:

@Mahfuz_SS_EHL said:

@WSS said:
Did you remember to add mod_headers to your config?

You mean I need to add to the Apache Configuration ?? If you meant .htaccess, yes, I tried with mod_headers.

Note that says IfModule. That means IF it's enabled. Take out the IfModule stanzas, and see if it crashes. If it does, mod_headers is probably not enabled. I'd also suggest checking the logfiles, but the above is the fastest user-level way of checking without root.

How mod_headers can be enabled ?? I assume this is the problem.

Amitz

a2enmod headers
Then restart Apache.