Introduction
This article will detail the necessary steps to enable HSTS on a webuzo server.
Procedure
To enable HSTS, please use the below steps:
1) Using SSH or the webuzo File Manager, navigate to the ~/public_html directory.
2) Use your preferred text editor to open the .htaccess file.
If the .htaccess file does not already exist, create it.
3) Copy the following line, and then paste it into the .htaccess file:
<IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=300; includeSubDomains; preload"
Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure"
Header always set X-Frame-Options "sameorigin"
Header setifempty Referrer-Policy: same-origin
Header set X-XSS-Protection "1; mode=block"
Header set X-Permitted-Cross-Domain-Policies "none"
Header set Referrer-Policy "no-referrer"
Header set X-Content-Type-Options: nosniff
</IfModule>
4) Save your changes to the .htaccess file. HSTS is now enabled for your site.
5) Confirm that your site now has the strict-transport-security header using the following command:
read -p "Domain: " domain ; curl -s --head https://${domain}/ | egrep 'Strict-Transport-Security'
6)This will allow you to input the domain you would like to check; as an example, I will use 'hsts.com':
[root@test ~]# read -p "Domain: " domain ; curl -s --head https://${domain}/ | egrep 'Strict-Transport-Security'
Domain: hsts.com
Strict-Transport-Security: max-age=300; includeSubDomains; preload