HTTP Strict Transport Security (HSTS) is a security mechanism that protects secure HTTPS websites against attacks. It allows servers to declare that web browsers should always connect to your website using HTTPS, instead of making insecure connections via HTTP. HSTS provides an additional layer of security around SSL-only websites by instructing browsers to remember that connections to your website should always use SSL.

Step 1) Drupal configuration¶

There are two ways to enable HSTS for your website:

• Enabling HSTS through settings.php (Drupal 7)
• Enabling HSTS through contributed modules

¶

Enabling HSTS through contributed modules (Drupal 8+, recommended)¶

There are two Drupal contributed modules that you can use to enable HSTS. The Security Kit module provides Drupal with several extra security options, including implementing the HSTS response header. The HTTP Strict Transport Security module also adds HSTS headers to your site.

Enabling HSTS through settings.php (Drupal 7 only)¶

If Drupal is serving the front page (index page) of your website, then you can implement HSTS by adding the following header to your settings.php file:

header('Strict-Transport-Security: max-age=31536000');

If all present and future subdomains on your website will use HTTPS, then use this header to allow subdomains to use HSTS:

header('Strict-Transport-Security: max-age=31536000; includeSubDomains');

¶

Step 2) Configure .htaccess¶

<IfModule mod_headers.c>
  # HSTS header
  Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
</IfModule>

Step 3) Clear caches and test¶

• Drupal caches
• Acquia Varnish (and, if needed, Platform CDN)
• Any external CDN/caches you may have, including web browsers' caches

Further reading¶

For information about various SSL options, see :

• Best practices for a fully SSL-protected site
• Enabling SSL