How to enable HTTP Strict-Transport-Security (HSTS) for a domain on the Plesk server?

Follow

Comments

9 comments

  • Avatar
    Unknown User (Edited )

    I'm not sure the answer is correct...

    Following these steps above meant that the http webpage would 301 redirect to the https webpage which would 301 redirect to itself ad infinitum. Removing the return 301 https://$host$request_uri; line made it work correctly for me. These are the steps I followed to make it work correctly:

    1. Enable Permanent SEO-safe 301 redirect from HTTP to HTTPS in Plesk > Domains > example.com >Hosting Settings.
    2. Go to Plesk > Domains > example.com > Apache & nginx Settings and insert the following Additional nginx directives:

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

    0
    Comment actions Permalink
  • Avatar
    Artyom Baranov

    @Jayden Pearse

    Hello! Thanks for noticing that. I have updated the article.

    0
    Comment actions Permalink
  • Avatar
    frater

    Hi Yulia,

    I was invited to comment on your article
    https://talk.plesk.com/threads/hsts-and-ssl-conf-command.345644/#post-838086

    According the RFC6797 (https://tools.ietf.org/html/rfc6797) we should NOT send this when the connection is plain http.
    The exact reasons for this are beyond my paygrade.

    In that thread I describe how to accomplish this.

    0
    Comment actions Permalink
  • Avatar
    frater

    PS...

    The "always" parameter should be examined too.
    Some sites were unable to detect the header until I added the extra parameter "always"

    The "includeSubdomains" should be used with caution. It is quite easy to overlook the usage of some subdomains.

    If enabled, the parameter "preload" should be considered.
    https://hstspreload.org/

     

    0
    Comment actions Permalink
  • Avatar
    Bulat Tsydenov

    @frater, Hi! Thanks for your input! The article was modified accordingly. If you think that something is missed here, please let us know.

    0
    Comment actions Permalink
  • Avatar
    Dennis Am

    The UserVoice idea has been implemented now and this functionality is supported in the SSL It! extension. Could you please update this article accordingly?

    0
    Comment actions Permalink
  • Avatar
    Alexandr Bashurov

    @Dennis Am, thanks for letting us know! I've updated the article to show that it's now available as a part of SSL It! extension

    1
    Comment actions Permalink
  • Avatar
    Remigio Ruberto

    Just enabled hsts on my 100asa.it domain, but ceck on https://hstspreload.org/?domain=100asa.it say me: Error: No preload directive

    Where I can add this directive?

    0
    Comment actions Permalink
  • Avatar
    Bulat Tsydenov

    @Remigio Ruberto

    Hi, In current implementation of HSTS feature in Plesk, it is not possible to add 'preload'. You can leave your comments and suggestions for improving this feature here:

    https://plesk.uservoice.com/forums/184549-feature-suggestions/suggestions/5079332-support-for-http-strict-transport-security-hsts#{toggle_previous_statuses}

    You can do it only manually by modifying the corresponding configuration file /etc/nginx/plesk.conf.d/vhosts/example.com.conf. However, you should keep in mind, that whenever you make some changes to domain settings in Plesk, you manual changes will be overwritten.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request