Really Simple SSL pro Settings Warnings & Errormessages

Inserting HSTS header using PHP

HSTS Header insertion

Really Simple SSL pro has the ability to set HSTS header for your website. In most cases this is done by inserting the HSTS header in the .htaccess file used by Apache and related webservers. Inserting the HSTS header in the .htaccess file is a reliable way to send the HSTS header when a user visits your website. However it is not always possible to insert the HSTS header in the .htaccess file. For example when using a webserver that doesn’t support .htaccess, or when the .htaccess file is not writeable, the plugin will insert the HSTS header using PHP.

PHP header used for HSTS, so why a warning?

PHP header will usually work fine. However, the PHP method is not as reliable as the .htaccess method. Caching plugins prevent PHP code from being executed resulting in the HSTS header not being sent and thus will cause the HSTS not to be set correctly. Because of this, Really Simple SSL pro will warn you about this. If you don’t use caching, you can let HSTS to be set using PHP.

Inserting the HSTS header without using PHP

If your webserver uses Apache or a related webserver that uses an .htaccess file, making the .htaccess file writeable will allow Really Simple SSL to insert the HSTS header in the .htaccess file instead of using the PHP header.

The process is different for Nginx webservers. Nginx doesn’t use a .htaccess file, but (usually) a nginx.conf file in which the HSTS header can be declared. At this moment Really Simple SSL will set the HSTS using PHP headers. Adding HSTS to your Nginx configuration is pretty straightforward. Nginx has written a detailed guide on setting up HSTS in your Nginx configuration. If you need any assistance with this, just contact our support.

In short, it’s preferred to declare the HSTS header directly in either your .htaccess file or server configuration.

Testing the HSTS header

An easy way to check if the HSTS header is sent is by going to a redirect checker and see if the header is passed. When everything is working correctly, you should be able to see the HSTS header being passed, like in the image below:

Another option to test the HSTS header using the command line is: curl -I https://yourdomain.com

Related Articles

  • ERR_SSL_VERSION_INTERFERENCE

    ERR_SSL_VERSION_INTERFERENCE The ERR_SSL_VERSION_INTERFERENCE is an SSL related error that usually appears in Google Chrome and Firefox when a site (server) uses TLS1.3. The err_ssl_version_interference error can be solved in a...
  • Download link expired

    If your download link from your purchase email has expired, you can create an account with the email address you used to do the purchase. After you register, you can...
  • The settings page says redirect could not be set in the .htaccess

    Your site can run on ssl without any issues. The plugin also adds some javascript to redirect any non https pages, so your site should load over https without any...
  • How to clear HSTS from your browser

    If you enabled HSTS on your site, you’ll have to clear it from your browser after you disabled it again. Otherwise, your site willl keep loading over SSL. There are...

Leave a Comment