Cloud Platform
How To enable HSTS for your Drupal site
HTTP Strict Transport Security (HSTS) is a security mechanism that protects secure HTTPS websites against attacks. It allows servers to declare that web browsers should always connect to your website using HTTPS, instead of making insecure connections via HTTP. HSTS provides an additional layer of security around SSL-only websites by instructing browsers to remember that connections to your website should always use SSL.
Note: You must configure your Acquia site at 2 components: (1) Drupal (see below) will need a module or code that adds the right headers to Drupal-generated output (normally, HTML pages), and (2) Static assets like images/CSS/JS and other files' responses need some Apache server configuration in .htaccess to add the needed headers.There are two ways to enable HSTS for your website:
There are two Drupal contributed modules that you can use to enable HSTS. The Security Kit module provides Drupal with several extra security options, including implementing the HSTS response header. The HTTP Strict Transport Security module also adds HSTS headers to your site.
If Drupal is serving the front page (index page) of your website, then you can implement HSTS by adding the following header to your settings.php file:
header('Strict-Transport-Security: max-age=31536000');If all present and future subdomains on your website will use HTTPS, then use this header to allow subdomains to use HSTS:
header('Strict-Transport-Security: max-age=31536000; includeSubDomains');<IfModule mod_headers.c>
# HSTS header
Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
</IfModule>For information about various SSL options, see :
Cloud Platform