Really Simple SSL pro Settings Warnings & Errormessages

Inserting HSTS header using PHP

HSTS Header insertion

Really Simple SSL pro has the ability to set HSTS header for your website. In most cases this is done by inserting the HSTS header in the .htaccess file used by Apache and related webservers. Inserting the HSTS header in the .htaccess file is a reliable way to send the HSTS header when a user visits your website. However it is not always possible to insert the HSTS header in the .htaccess file. For example when using a webserver that doesn’t support .htaccess, or when the .htaccess file is not writeable, the plugin will insert the HSTS header using PHP.

PHP header used for HSTS, so why a warning?

PHP header will usually work fine. However, the PHP method is not as reliable as the .htaccess method. Caching plugins prevent PHP code from being executed resulting in the HSTS header not being sent and thus will cause the HSTS not to be set correctly. Because of this, Really Simple SSL pro will warn you about this. If you don’t use caching, you can let HSTS to be set using PHP.

Inserting the HSTS header without using PHP

If your webserver uses Apache or a related webserver that uses an .htaccess file, making the .htaccess file writeable will allow Really Simple SSL to insert the HSTS header in the .htaccess file instead of using the PHP header.

The process is different for Nginx webservers. Nginx doesn’t use a .htaccess file, but (usually) a nginx.conf file in which the HSTS header can be declared. At this moment Really Simple SSL will set the HSTS using PHP headers. Adding HSTS to your Nginx configuration is pretty straightforward. Nginx has written a detailed guide on setting up HSTS in your Nginx configuration. If you need any assistance with this, just contact our support.

In short, it’s preferred to declare the HSTS header directly in either your .htaccess file or server configuration.

Testing the HSTS header

An easy way to check if the HSTS header is sent is by going to a redirect checker and see if the header is passed. When everything is working correctly, you should be able to see the HSTS header being passed, like in the image below:

Another option to test the HSTS header using the command line is: curl -I https://yourdomain.com

Related Articles

  • Website not accessible with SSL

    If you cannot access your website, but do not have redirect loop errors, your SSL certificate might be invalid. Normally Really Simple SSL checks if ssl is available, and only...
  • Download link expired

    If your download link from your purchase email has expired, you can create an account with the email address you used to do the purchase. After you register, you can...
  • How to install Really Simple SSL pro

    Installation of Really Simple SSL pro is just like any other plugin, except that you can’t download it from the WordPress repository, you have to upload it yourself. Do not...
  • No SSL detected, but I’m sure I have SSL

    No SSL was detected If you see this message at the top of your page, this can mean two things: You don’t have an SSL certificate. You can check this...

Leave a Comment