How to Enable HTTP Strict Transport Security (HSTS) Policy

Securing your website with HTTPS is essential—but it’s only the first step.

To fully protect your visitors from SSL stripping and man-in-the-middle attacks, enabling HTTP Strict Transport Security (HSTS) is highly recommended.

HSTS is a response header that forces browsers to connect only over secure HTTPS, even if a user tries to access the site via HTTP.

In this guide, you’ll learn what HSTS is, why it matters, and how to safely enable it on your website hosted on the Cloudways Platform by modifying the .htaccess file.

Table of Contents:

This article walks you through the process of enabling the HTTP Strict Transport Security (HSTS) policy on your website.

You’ll learn what HSTS is, why it’s critical for securing your site, and how to implement it correctly.

At Cloudways, we recommend enabling HSTS as an essential security measure after deploying an SSL certificate and setting up HTTPS redirection.

By adding a simple rule to your web application’s .htaccess file, you can instruct browsers to always connect using a secure HTTPS connection—protecting your visitors from potential SSL-based attacks and redirect vulnerabilities.

HTTP Strict Transport Security (HSTS) is a web security feature that tells browsers to only access your website using HTTPS—never HTTP.

It works by sending a special response header (Strict-Transport-Security) from your server, which instructs the browser to enforce secure connections for a defined period.

Introduced by Google in 2016, HSTS helps prevent common threats like SSL stripping and man-in-the-middle (MITM) attacks.

Once enabled, it ensures that all future visits to your site—and its subdomains—are automatically redirected to the secure HTTPS version, even if a user types in or clicks an insecure HTTP link.

Enabling HSTS is an important step to strengthen your website’s security. It protects your visitors from SSL-based attacks, such as SSL stripping and cookie hijacking, by forcing browsers to always use the secure HTTPS version of your site.

Even if your website already redirects from HTTP to HTTPS, there’s still a short window where attackers can intercept and redirect visitors to an insecure or fake version of your site.

This is known as a man-in-the-middle (MITM) attack, specifically an SSL stripping attack.

Here’s a simplified breakdown of what happens without HSTS:

During the brief moment between steps 3 and 4, an attacker can step in, block the HTTPS redirect, and keep the user on the insecure HTTP version—leaving sensitive information exposed.

Attackers can even redirect users to a fake site that looks identical to yours, tricking them into entering login details or other personal information.

By enabling HSTS, you eliminate this vulnerability. Once a browser sees your HSTS header, it will always connect over HTTPS, skipping HTTP entirely—even if someone types or clicks an unsecured link.

This makes your website faster, safer, and more trustworthy for users.

Here are a few steps that can help you enable the HSTS policy so you can protect your website’s visitors.

Before enabling the HSTS policy, you need to make sure that the SSL Certificate is deployed on your website, and HTTP to HTTPS redirection is implemented. The following kinds of SSL Certificates can be installed using the Cloudways Platform.

— Free Let’s Encrypt SSL Certificate.

— Free Let’s Encrypt Wildcard SSL Certificate.

— Custom SSL Certificate.

Now, you need to connect to your server remotely via SSH so you can access the .htaccess file of your application.

Tip:

If you would like to know what is SSH and why it is used, then Click Here to find out. In this example, we are using Master Credentials to access the server remotely.

You can connect to your server via SSH in two ways, so choose your preferred option from the below options. You can also click on the hyperlink text of bullet points to learn about the procedure of connecting remotely to the server.

In this example, we have used the Cloudways Integrated SSH Terminal. You will see a similar window after a successful connection, as shown below:

Now, you need to go to that specific directory where your webroot is located. In other words, where your .htaccess file is located. By default, it is in the public_html directory so enter a command mentioned below to go into the public_html folder.

Here comes the final step of editing the .htaccess file and adding the HSTS rule. Executing the below command will open the file for editing.

Once the file is opened, you need to press i key to go into the editing mode. You will see – – INSERT – – at the bottom of your screen after pressing the key.

Then, copy this HSTS rule and paste the rule before the instance where it says # BEGIN WordPress.

This rule defines one-year max-age access, which includes your website’s root domain and any subdomains.

Once the browser has accessed the website, then it will no longer be able to access the unsecured version (HTTP) of a website for a year.

Please make sure that all subdomains are covered in your SSL Certificate, and HTTPS redirection is enabled.

If you fail to do so, then your subdomains will no be accessible after saving changes in the .htaccess file.

Before adding the one-year max-age, test your entire website with five minutes max-age first using: max-age=300;

Finally, press the ESC key to exit the editing mode and then type and run the below command to save the changes.

There are a few steps you need to make sure you execute after editing the .htaccess file for the successful implementation of all the changes.

Clear your browser’s cache and cookies, purge the Varnish cache and restart the Apache webserver via Cloudways Platform.

It's time to verify if your website has an HSTS policy implemented or not, and there are a couple of methods to verify it.

We recommend using a third-party tool called SecurityHeaders.

In this example, we are scanning a dummy website that has no content and has no other security headers implemented besides HSTS, and as you can see that it shows ✓ Strict-Transport-Security which means that your website has an HSTS policy working.

There is also a negative side to HTTP Strict Transport Security (HSTS) policy that visitor’s browser has to see the HSTS header at least once before it can take advantage of it for future visits.

This means that they will have to go through the HTTP to HTTPS process at least once, leaving them vulnerable the first time they visit an HSTS-enabled website.

To encounter this, Google introduced the HSTS Preload List, which lists all those websites and domains under an approved HSTS list that complies with simple criteria, and this list is built into the browser.

Similarly, other internet browsers such as Internet Explorer, Firefox, Safari, and Opera have their own HSTS Preload Lists, which is based on Chrome’s HSTS Preload List.

The following are the criteria to list your website for this HSTS Preload List.

If your website adheres to this set criteria, then you may submit your HSTS-enabled website to the HSTS Preload List. Websites added to this list will be hardcoded into future releases of Chrome. It makes certain that visitors visiting websites using updated versions of Chrome remain secured.

You may see warnings from SEO tools about 307 redirects once your website is added to the HSTS preload list.

This happens when someone tries to access your website on the unsecured HTTP protocol, and as a result, a 307 redirect happens instead of a 301 redirect.

301 is a permanent redirect, whereas 307 is a temporary redirect, but if your SEO tools only show 307 redirect, then it does not mean that 301 redirect is not happening.

307 redirect is taking place at a browser-level; whereas, 301 redirect is occurring at the application level.

You can scan your website by using any redirect checker tools available online to verify if 301 redirect is happening or not, we recommend using httpstatus.
​

You have learned about HTTP Strict Transport Security (HSTS). There are some other safety measures that Cloudways recommend you should take after installing an SSL certificate besides implementing the HSTS (HTTP Strict Transport Security) policy.

Cloudways allows you to enable the HTTP (HSTS) policy for all types of websites. It supports leading applications including Magento, Laravel, PHP and WordPress hosting.

That’s it! We hope this article was helpful.

If you need assistance, feel free to:

We're here 24/7 to help you!