- Plesk for Linux
- Plesk for Windows
How to enable HTTP Strict-Transport-Security (HSTS) for a domain in Plesk?
The option for enabling HSTS in the Plesk interface is currently not implemented in Plesk UI. Vote for it on our User Voice.
Strict-Transport-Security parameters are shown as an example only, the custom directive may vary depending on the site owner's needs.
HSTS can be configured manually as a workaround:
Go to Domains > example.com > Hosting Settings and enable Permanent SEO-safe 301 redirect from HTTP to HTTPS option
Navigate to the Domains > example.com > Apache & nginx Settings to specify the HSTS header:
If nginx is present on the server, add the following line to the Additional nginx directives:
CONFIG_TEXT: add_header Strict-Transport-Security "max-age=31536000" always;
If only Apache is used on the server (Additional nginx directives field is absent), add the following line to the Additional directives for HTTPS:
CONFIG_TEXT: Header always set Strict-Transport-Security "max-age=31536000"
Note: Additional directives can be modified only be the server's administrator. If these fields are absent in Apache & nginx Settings, contact service provider to configure HSTS.
Note: If both nginx and Apache additional headers are applied to the domain, some services, such as Qualys SSL Labs might report that HSTS policy is invalid.
Navigate to Domains > example.com > Hosting Settings and enable Permanent SEO-safe 301 redirect from HTTP to HTTPS option
Connect to the server via RDP
Go to IIS Manager > <ServerName> > Sites > example.com > HTTP Response Headers > Add...
Submit the fields as follows: