There are several causes for HTTP Strict Transport Security (HSTS) not working correctly. The most common HSTS issues are listed in this article.
Response error: Multiple HSTS headers (number of HSTS headers: 2)
When you see this error the HSTS header has been set twice. The HSTS header should be set only once. This is usually caused by a second HSTS header, added by either your hosting provider or a different plugin. This header is often located in the .htaccess file. Check your .htaccess file for any duplicate ‘Strict-Transport-Security’ entries. Any entries outside of the #BEGIN Really_Simple_SSL_SECURITY_HEADERS and #END Really_Simple_SSL_SECURITY_HEADERS block can be safely removed.
Still having issues? Fill in a support request and we’ll help you figure out what might be going wrong.
How to check if the HSTS header is set
The first thing to check if is the HSTS option has been enabled.
HSTS can be enabled by navigating to the Settings->SSL->Settings tab and enabling the ‘Turn HTTP Strict Transport Security on’ option. If you also want to configure your site for the HSTS preload list, you can enable the ‘Configure your site for the HSTS preload list’ as well.
The first step in troubleshooting this issue is to check if the HSTS header is set on your website. You can test this by entering your domain on HTTPstatus.io and see if the HSTS header is returned. If the HSTS header is set you will see a Strict-Transport-Security block:
If this block appears the HSTS header is active. When the ‘Configure your site for the HSTS preload list’ option has been enabled, you will see an HSTS header with ‘includeSubdomains; preload’ added. This means the site is eligible for the HSTS preload list.
If you don’t see a Strict-Transport-Security block this indicates that the HSTS header is not active. This can have a number of reasons. Really Simple SSL Pro sets the HSTS header between tags:
Header always set Strict-Transport-Security: “max-age=31536000” env=HTTPS
This means that the HSTS header will only be set when the Apache module mod_headers.c has been enabled on the webserver. Some hosting environments do not have this module enabled. If you do see the HSTS header in your .htaccess file but not on HTTPstatus.io, contact your hosting provider and ask if they have enabled the mod_headers.c module.
Some hosting providers block the HSTS header entirely. If you do see the HSTS header in your .htaccess file and the mod_headers.c module is enabled but the Strict-Transport-Security block doesn’t show up in the test, there’s a possibility your hosting provider has blocked the HSTS header altogether. Contact your hosting provider and ask if this is the case.
Error: No HSTS header. Response error: No HSTS header is present on the response
If you see the No HSTS header is present on the response error, the HSTS header hasn’t been set correctly. See ‘How to check if HSTS is set’ to check if the HSTS header is set in your .htaccess file.
‘www.example.com’ is a subdomain. Please preload ‘example.com’ instead
A www. domain is seen as a subdomain. To resolve this error, submit the domain without www.
Example.com (HTTP) should immediately redirect to ‘https://example.com’ (HTTPS) before adding the www subdomain. Right now, the first redirect is to www.example.com
For HSTS to work correctly, the first redirect should be from http:// to https://. Really Simple SSL will add a redirect to https:// by default. This redirect will take priority above other redirects.
If the site redirects to http://www before redirecting to https:// it’s likely there is another redirect set. This redirect should be removed. Often these redirects are located in the .htaccess file. Check your .htaccess file for a redirect to http://www and remove it.
This redirect can also be done by a redirection plugin. Temporarily disable your redirection plugin(s) and check your .htaccess file for a redirect to http://www. This can be fixed by moving the redirect below the Really Simple SSL redirect. Don’t forget to update the redirect to https://www.