How to enable Strict-Transport-Security(HSTS) for domain?




  • Avatar
    Jayden Pearse (Edited )

    I'm not sure the answer is correct...

    Following these steps above meant that the http webpage would 301 redirect to the https webpage which would 301 redirect to itself ad infinitum. Removing the return 301 https://$host$request_uri; line made it work correctly for me. These are the steps I followed to make it work correctly:

    1. Enable Permanent SEO-safe 301 redirect from HTTP to HTTPS in Plesk > Domains > >Hosting Settings.
    2. Go to Plesk > Domains > > Apache & nginx Settings and insert the following Additional nginx directives:

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

  • Avatar
    Artyom Baranov

    @Jayden Pearse

    Hello! Thanks for noticing that. I have updated the article.

Please sign in to leave a comment.