How To enable HSTS for your site

Configure your .htaccess File

You should edit your .htaccess file to add the proper headers to static assets.

Here is an example code snippet:

<IfModule mod_headers.c>
  # HSTS header
  Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
</IfModule>

Clear caches and test!

Checking HSTS header using curl

curl -s -D- https://example.com/ | grep -i Strict

I don’t see the HSTS header on assets

The idea behind an HSTS header is that content is always downloaded over an encrypted connection.

Once the files are downloaded and put in your memory/disk cache they are no longer encrypted.

When your browser gets the files from memory/disk cache they also don’t need to be downloaded over any connection. The memory/disk cache is a trusted resource. That’s why the HSTS header is not needed.