HSTS, the HTTP Strict Transport Security protocol, is a standard for forcing the use of HTTPS instead of HTTP in some situations. HSTS does not solve the problem of switching a Web site from HTTP to HTTPS.
HSTS adds a HTTPS response header named "Strict-Transport-Security". The HSTS header does not redirect traffic from HTTP to HTTPS, you have to do that yourself. The option to redirect from HTTP to HTTPS is common in many Web hosting configuration pages and in CMS, Content Management System, configuration files. If none of those options exist, you can add automatic redirects to the Apache and Nginx configuration files.
Web browsers are supposed to ignore the Strict-Transport-Security header when they receive a HTTP response, leaving the Web browser with no reason to switch to HTTPS. You are back to redirecting visitors to HTTPS. When the user visits a HTTPS page, the HSTS header tells the Web browser to not switch back to HTTP.
The justification for the extra header is to warn web browsers that all content should be HTTPS and any requests for HTTP should be converted to HTTPS before the request is sent to the server. This stops some types of "man in the middle" attacks where a HTTPS request is hijacked and converted to HTTP.
The protocol does not work when the initial request is through HTTP. The protocol does not work with old Web browsers. There are other problems. The first thing you should do before touching HSTS is put in a redirect from HTTP to HTTPS for every domain and subdomain. HSTS can then add a little bit of extra protection to HTTPS domains.
Here is an example set of request headers from a Web browser to a Web server named example.com.
Host example.com User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept text/html,application/xhtml+xm…plication/xml;q=0.9,*/*;q=0.8 Accept-Language en-AU,en-GB;q=0.8,en;q=0.5,en-US;q=0.3 Accept-Encoding gzip, deflate, br DNT 1 Connection keep-alive Upgrade-Insecure-Requests 1 Cache-Control max-age=0
Here are the response headers for the request.
Server: nginx Date: Sat, 13 Jan 2018 04:38:48 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 6539 Connection: keep-alive Cache-Control: must-revalidate, no-cache, private Content-language: en X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN expires: -1 pragma: no-cache Vary: Accept-Encoding,User-Agent Content-Encoding: gzip</pre>
There is no
Strict-Transport-Security: max-age=63072000 header. Visit your Web hosting control panel. Select
Websites & Domains then
Apache & Nginx settings.
Additional headers then enter the following line and save the change.
Fix the HTTP to HTTPS redirect first then add HSTS.