Applicable to:
- Plesk for Linux
- Plesk for Windows
Question
How to enable HTTP Strict-Transport-Security (HSTS) for a domain in Plesk?
Answer
-
Install SSL It! extension in Extensions
-
Navigate to Domains > example.com > Hosting Settings and make sure SSL/TLS support is enabled
-
Navigate to Domains > example.com > SSL/TLS Certificates
-
Click on the HSTS button:
-
Configure the HSTS options and click on Enable HSTS:
Note: Strict-Transport-Security parameters are shown as an example only, the custom directive may vary depending on the site owner's needs.
Configure HSTS manually:
-
On Linux
-
Go to Domains > example.com > Hosting Settings and enable Permanent SEO-safe 301 redirect from HTTP to HTTPS option
-
Navigate to the Domains > example.com > Apache & nginx Settings to specify the HSTS header:
-
If nginx is present on the server, add the following line to the Additional nginx directives:
CONFIG_TEXT: add_header Strict-Transport-Security "max-age=31536000" always;
-
If only Apache is used on the server (Additional nginx directives field is absent), add the following line to the Additional directives for HTTPS:
CONFIG_TEXT: Header always set Strict-Transport-Security "max-age=31536000"
Note: Additional directives can be modified only be the server's administrator. If these fields are absent in Apache & nginx Settings, contact service provider to configure HSTS.
Note: If both nginx and Apache additional headers are applied to the domain, some services, such as Qualys SSL Labs might report that HSTS policy is invalid.
-
-
On Windows
-
Navigate to Domains > example.com > Hosting Settings and enable Permanent SEO-safe 301 redirect from HTTP to HTTPS option
-
Connect to the server via RDP
-
Go to IIS Manager > <ServerName> > Sites > example.com > HTTP Response Headers > Add...
-
Submit the fields as follows:
- Name:
Strict-Transport-Security - Value:
max-age=31536000
- Name:
Comments
10 comments
I'm not sure the answer is correct...
Following these steps above meant that the http webpage would 301 redirect to the https webpage which would 301 redirect to itself ad infinitum. Removing the return 301 https://$host$request_uri; line made it work correctly for me. These are the steps I followed to make it work correctly:
1. Enable Permanent SEO-safe 301 redirect from HTTP to HTTPS in Plesk > Domains > example.com >Hosting Settings.
2. Go to Plesk > Domains > example.com > Apache & nginx Settings and insert the following Additional nginx directives:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
@Jayden Pearse
Hello! Thanks for noticing that. I have updated the article.
Hi Yulia,
I was invited to comment on your article
https://talk.plesk.com/threads/hsts-and-ssl-conf-command.345644/#post-838086
According the RFC6797 (https://tools.ietf.org/html/rfc6797) we should NOT send this when the connection is plain http.
The exact reasons for this are beyond my paygrade.
In that thread I describe how to accomplish this.
PS...
The "always" parameter should be examined too.
Some sites were unable to detect the header until I added the extra parameter "always"
The "includeSubdomains" should be used with caution. It is quite easy to overlook the usage of some subdomains.
If enabled, the parameter "preload" should be considered.
https://hstspreload.org/
@frater, Hi! Thanks for your input! The article was modified accordingly. If you think that something is missed here, please let us know.
The UserVoice idea has been implemented now and this functionality is supported in the SSL It! extension. Could you please update this article accordingly?
@Dennis Am, thanks for letting us know! I've updated the article to show that it's now available as a part of SSL It! extension
Just enabled hsts on my 100asa.it domain, but ceck on https://hstspreload.org/?domain=100asa.it say me: Error: No preload directive
Where I can add this directive?
@Remigio Ruberto
Hi, In current implementation of HSTS feature in Plesk, it is not possible to add 'preload'. You can leave your comments and suggestions for improving this feature here:
https://plesk.uservoice.com/forums/184549-feature-suggestions/suggestions/5079332-support-for-http-strict-transport-security-hsts#{toggle_previous_statuses}
You can do it only manually by modifying the corresponding configuration file /etc/nginx/plesk.conf.d/vhosts/example.com.conf. However, you should keep in mind, that whenever you make some changes to domain settings in Plesk, you manual changes will be overwritten.
The solution perfect for my is :
1- Go to Domain> select your domain > Go to SSL > Enable Redirect from http to https
2. Go to Apache & Nginx > Additional nginx directives , Copy and paste this code:
3.- Test your website : https://hstspreload.org/
Please sign in to leave a comment.