How to Enable HSTS Preload for WordPress (or any other website)

Today, I learned that even with full site HTTPS it’s still possible for a SSL stripping attach to happen. This is a very good YouTube video which everything regarding the attach and a solution – HSTS preload are explained.

To make a WordPress site or any other website eligible for HSTS preload, it’s actually very simple: Just to add a custom response header like this:

# nginx config example
server {
  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
}

I use nginx to serve my own WordPress blog, adding header using other web server should be similarly easy. Once the header is visible in a response, HSTS preload can be applied in https://hstspreload.org/

🙂

October 21, 2024

admin

Web Design

HSTS, Nginx, SSL, TLS