- Plesk for Linux
- Plesk for Windows
How to enable HTTP Strict-Transport-Security (HSTS) for a domain in Plesk?
The option for enabling HSTS in the Plesk interface is yet to be implemented. There is already existing feature suggestion on the Plesk User Voice.
Strict-Transport-Security parameters are shown as an example only, the custom directive may vary depending on the site owner's needs.
As a workaround, do the following:
Go to Domains > example.com > Hosting Settings and enable Permanent SEO-safe 301 redirect from HTTP to HTTPS option
Navigate to the Domains > example.com > Apache & nginx Settings to specify the STS header:
Note: If both nginx and Apache additional headers are applied to the domain, some services, such as Qualys SSL Labs might report that HSTS policy is invalid.
If nginx is present on the server, add the following line to the Additional nginx directives:
CONFIG_TEXT: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
If only Apache is used on the server (Additional nginx directives is absent), add the following line to the Additional directives for HTTPS:
CONFIG_TEXT: Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains"
Navigate to Domains > example.com > Hosting Settings and enable Permanent SEO-safe 301 redirect from HTTP to HTTPS option
Connect to the server via RDP
Go to IIS Manager > <ServerName> > Sites > example.com > HTTP Response Headers > Add...
Submit the fields as follows: