Really Simple SSL pro Settings Warnings & Errormessages

Inserting HSTS header using PHP

HSTS Header insertion

Really Simple SSL pro has the ability to set HSTS header for your website. In most cases this is done by inserting the HSTS header in the .htaccess file used by Apache and related webservers. Inserting the HSTS header in the .htaccess file is a reliable way to send the HSTS header when a user visits your website. However it is not always possible to insert the HSTS header in the .htaccess file. For example when using a webserver that doesn’t support .htaccess, or when the .htaccess file is not writeable, the plugin will insert the HSTS header using PHP.

PHP header used for HSTS, so why a warning?

PHP header will usually work fine. However, the PHP method is not as reliable as the .htaccess method. Caching plugins prevent PHP code from being executed resulting in the HSTS header not being sent and thus will cause the HSTS not to be set correctly. Because of this, Really Simple SSL pro will warn you about this. If you don’t use caching, you can let HSTS to be set using PHP.

Inserting the HSTS header without using PHP

If your webserver uses Apache or a related webserver that uses an .htaccess file, making the .htaccess file writeable will allow Really Simple SSL to insert the HSTS header in the .htaccess file instead of using the PHP header.

The process is different for Nginx webservers. Nginx doesn’t use a .htaccess file, but (usually) a nginx.conf file in which the HSTS header can be declared. At this moment Really Simple SSL will set the HSTS using PHP headers. Adding HSTS to your Nginx configuration is pretty straightforward. Nginx has written a detailed guide on setting up HSTS in your Nginx configuration. If you need any assistance with this, just contact our support.

In short, it’s preferred to declare the HSTS header directly in either your .htaccess file or server configuration.

Testing the HSTS header

An easy way to check if the HSTS header is sent is by going to a redirect checker and see if the header is passed. When everything is working correctly, you should be able to see the HSTS header being passed, like in the image below:

Another option to test the HSTS header using the command line is: curl -I https://yourdomain.com

Related Articles

  • cURL error 35: SSL connect error

    The cURL error 35 can appear in the Really Simple SSL debug log when the CURL function cannot connect to your website using SSL. Curl often uses a different set...
  • How to clear HSTS from your browser

    If you enabled HSTS on your site, you’ll have to clear it from your browser after you disabled it again. Otherwise, your site willl keep loading over SSL. There are...
  • Amp javascript warning with Really Simple SSL

    If your site uses AMP (accelerated mobile pages) in combination with Really Simple SSL, you might encounter an error regarding javascript in the head of the website. If you see...
  • How to fix the ‘no response from webpage’ warning

    Really Simple SSL checks if there is a valid SSL certificate, and if it can find the marker from the mixed content fixer in the html of your website. In...

Leave a Comment