Really Simple SSL pro Settings Warnings & Errormessages

Inserting HSTS header using PHP

HSTS Header insertion

Really Simple SSL pro has the ability to set HSTS header for your website. In most cases this is done by inserting the HSTS header in the .htaccess file used by Apache and related webservers. Inserting the HSTS header in the .htaccess file is a reliable way to send the HSTS header when a user visits your website. However it is not always possible to insert the HSTS header in the .htaccess file. For example when using a webserver that doesn’t support .htaccess, or when the .htaccess file is not writeable, the plugin will insert the HSTS header using PHP.

PHP header used for HSTS, so why a warning?

PHP header will usually work fine. However, the PHP method is not as reliable as the .htaccess method. Caching plugins prevent PHP code from being executed resulting in the HSTS header not being sent and thus will cause the HSTS not to be set correctly. Because of this, Really Simple SSL pro will warn you about this. If you don’t use caching, you can let HSTS to be set using PHP.

Inserting the HSTS header without using PHP

If your webserver uses Apache or a related webserver that uses an .htaccess file, making the .htaccess file writeable will allow Really Simple SSL to insert the HSTS header in the .htaccess file instead of using the PHP header.

The process is different for Nginx webservers. Nginx doesn’t use a .htaccess file, but (usually) a nginx.conf file in which the HSTS header can be declared. At this moment Really Simple SSL will set the HSTS using PHP headers. Adding HSTS to your Nginx configuration is pretty straightforward. Nginx has written a detailed guide on setting up HSTS in your Nginx configuration. If you need any assistance with this, just contact our support.

In short, it’s preferred to declare the HSTS header directly in either your .htaccess file or server configuration.

Testing the HSTS header

An easy way to check if the HSTS header is sent is by going to a redirect checker and see if the header is passed. When everything is working correctly, you should be able to see the HSTS header being passed, like in the image below:

Another option to test the HSTS header using the command line is: curl -I https://yourdomain.com

Related Articles

  • How to clear HSTS from your browser

    If you enabled HSTS on your site, you’ll have to clear it from your browser after you disabled it again. Otherwise, your site willl keep loading over SSL. There are...
  • Really Simple SSL Multisite set-up and tips

    Really Simple SSL is fully multisite compatible. In combination with Really Simple SSL pro multisite you get full control over your multisite SSL setup. The different options you have when...
  • err_SSL_VERSION_OR_CIPHER_MISMATCH

    err_SSL_VERSION_OR_CIPHER_MISMATCH This error means that the server and client (browser) are unable to establish a secure connection between them. To establish a secure connection between the server and client they...
  • SSL activated! message not going away

    After activation of SSL in Really Simple SSL, there’s a success message that confirms your site has been migrated to https. SSL activated! Don’t forget to change your settings in...

Leave a Comment