- Plesk for Linux
- Plesk for Windows
How to enable HTTP Strict-Transport-Security (HSTS) for a domain in Plesk?
The option for enabling HSTS in the Plesk interface is yet to be implemented. There is already existing feature suggestion on the Plesk User Voice.
As a workaround, do the following:
First of all, log into Plesk.
Go to Domains > example.com > Hosting Settings and enable the option Permanent SEO-safe 301 redirect from HTTP to HTTPS.
Add the additional header:
If the proxy mode (Domains > example.com > Apache & nginx Settings > nginx settings) is enabled on the domain: go to Domains > example.com > Apache & nginx Settings > Common Apache settings and add the following custom value in Additional headers section:
CONFIG_TEXT: Strict-Transport-Security: max-age=31536000; preload
If the proxy mode is disabled on the domain: go to Domains > example.com > Apache & nginx Settings and add the following line to the field Additional nginx directives:
CONFIG_TEXT: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
Strict-Transport-Security parameters are shown as an example only, the custom directive may vary depending on the site owner needs.
Enable Require SSL for the domain and all subdomains in Domains > example.com > IIS Settings:
Connect to the server using RDP.
Go to IIS > ServerName > Sites > example.com > HTTP Response Headers > Add....
Submit the fields as follows:
CONFIG_TEXT: Name: Strict-Transport-Security
Value: max-age=31536000; includeSubDomains; preload