I can not enable HSTS

Discussion in 'Bug Reports' started by Émerson Felinto, Feb 6, 2018.

  1. Émerson Felinto

    Émerson Felinto Well-Known Member

    Attached Files:

  2. Tishu

    Tishu Well-Known Member

    Hello,

    If you are using apache like config, please see the first part of the quote wiki.
     
  3. Émerson Felinto

    Émerson Felinto Well-Known Member

    Hello,
    I do not know exactly what you're talking about. I just installed Litespeed on my cPanel server using the steps that the Litespeed WIKI gives me.
     
  4. Pong

    Pong Well-Known Member Staff Member

    For cpanel, LiteSpeed will use Apache configuration. you should choose "Using Apache Configs" Not "Using LSWS-Native Configs", basically add the following in .htaccess
    Header always set Strict-Transport-Security "max-age=31536000"
     
  5. Émerson Felinto

    Émerson Felinto Well-Known Member

    Got it!
    I have several sites on my server and I can not add this policy to every .htaccess. Can you provide me information on how I can apply this across all sites?
     
  6. Pong

    Pong Well-Known Member Staff Member

    then you can add it to cpanel pre_main_global setting
     
    Émerson Felinto likes this.
  7. Émerson Felinto

    Émerson Felinto Well-Known Member

    I activated HSTS via Apache but I did not notice any changes in the headers. Am I testing the wrong way? How do I know that HSTS is active?
     
  8. Jon K

    Jon K Administrator Staff Member

  9. Émerson Felinto

    Émerson Felinto Well-Known Member

    It's working, it's fantastic, thank you !!!!
    But I was really wrong about how HSTS works. I thought that sites with HTTP would automatically be redirected to HTTPS versions. Could you tell me why this did not happen and how do I solve it?
     
  10. Jon K

    Jon K Administrator Staff Member

    HSTS just states to use HTTPS over HTTP once it is being used. If you still have links that force http:// then they will still go the insecure route. You will need to create rewrite rules to force requests http -> https.
     

Share This Page