Really Simple SSL pro Settings Warnings & Errormessages

Inserting HSTS header using PHP

HSTS Header insertion

Really Simple SSL pro has the ability to set HSTS header for your website. In most cases this is done by inserting the HSTS header in the .htaccess file used by Apache and related webservers. Inserting the HSTS header in the .htaccess file is a reliable way to send the HSTS header when a user visits your website. However it is not always possible to insert the HSTS header in the .htaccess file. For example when using a webserver that doesn’t support .htaccess, or when the .htaccess file is not writeable, the plugin will insert the HSTS header using PHP.

PHP header used for HSTS, so why a warning?

PHP header will usually work fine. However, the PHP method is not as reliable as the .htaccess method. Caching plugins prevent PHP code from being executed resulting in the HSTS header not being sent and thus will cause the HSTS not to be set correctly. Because of this, Really Simple SSL pro will warn you about this. If you don’t use caching, you can let HSTS to be set using PHP.

Inserting the HSTS header without using PHP

If your webserver uses Apache or a related webserver that uses an .htaccess file, making the .htaccess file writeable will allow Really Simple SSL to insert the HSTS header in the .htaccess file instead of using the PHP header.

The process is different for Nginx webservers. Nginx doesn’t use a .htaccess file, but (usually) a nginx.conf file in which the HSTS header can be declared. At this moment Really Simple SSL will set the HSTS using PHP headers. Adding HSTS to your Nginx configuration is pretty straightforward. Nginx has written a detailed guide on setting up HSTS in your Nginx configuration. If you need any assistance with this, just contact our support.

In short, it’s preferred to declare the HSTS header directly in either your .htaccess file or server configuration.

Testing the HSTS header

An easy way to check if the HSTS header is sent is by going to a redirect checker and see if the header is passed. When everything is working correctly, you should be able to see the HSTS header being passed, like in the image below:

Another option to test the HSTS header using the command line is: curl -I https://yourdomain.com

Related Articles

  • Download link expired

    If your download link from your purchase email has expired, you can create an account with the email address you used to do the purchase. After you register, you can...
  • Plugin conflict force rewrite title Yoast

    * Update* This issue should be resolved in the 2.4 version. I left the Yoast check for now, but this warning will be removed in future versions. If you have...
  • Updating Really Simple SSL extensions

    Really Simple SSL pro, Really Simple SSL per page,Really Simple SSL pro multisite, and Really Simple SSL social use the licensing framework from Easy Digital Downloads, which is a proven...
  • My website does a double redirect to https, or not 301 redirect

    Some users ask for a fix for a double redirect. But Really Simple SSL does not do a double redirect! The plugin uses two ways to redirect: in the .htaccess...

Leave a Comment