What is HSTS?
HTTP Strict Transport Security (HSTS) is a security mechanism for HTTPS connections.
If HSTS is activated, the web server sends an additional header (Strict Transport Security) for HTTPS connections with the information that the requested page should only be accessed via an encrypted connection for a certain period of time.
How do I activate HSTS?
The HSTS Header can be activated in the Control Panel. Open your server and switch to "Websites" on the left. Under the website where you want to activate the HSTS header, click on "Edit" and scroll down to "SSL Encryption". Note that this option is only visible if the website is running on Nginx. Here you can enable and configure HSTS.
If a browser sees this header of an HTTPS website, it knows that this domain can only be accessed via HTTPS (SSL or TLS). It will then deny unencrypted access. The browser stores this information for the time specified in max-age. Therefore It's important to ensure that your website and any subdomains are completely accessible via HTTPS and for all content to be exclusively referenced via HTTPS before you activate HSTS.
It is common practice to first activate HSTS with short periods of time and then gradually extend it. For example, start with 5 minutes (300 seconds) and test your website extensively. Then increase the value for max-age step by step to one hour (3600 seconds), one day (86400), one week (604800) as you feel confident. It is recommended to set the value for max-age to more than 120 days (10368000), ideally to one year (31536000).
Websites should aim to use the maximum max-age to ensure increased security for the current domain in the long run.
If this value is set to 0 seconds, the corresponding HSTS information will be deleted. To do so, wait at least for the previously entered value of time. For example, if you set 10368000 seconds (120 days), you must wait at least 120 days until the previous HSTS information is safely deleted from all browsers.
IncludeSubdomains
By activating the includeSubdomains argument, the HSTS settings apply to all subdomains. If you remove this option, HTTPS is only required for the domain.
Preload
"HSTS preload" refers to the procedure, to give the browsers already at the manufacturer a predefined list of HSTS information for various websites. Because of that, he already knows before the first visit to an appropriately protected site, that he should contact them only via an encrypted connection. By enabling the preload argument, a provider of HSTS preload lists can check if your domain can be put on the preload list and you, the owner of that domain, agree with it.
Your settings can be checked via the following website: https://hstspreload.org
This list is created by the Chromium Project and is used by Chrome, Firefox and Safari. These sites are not depending on whether HSTS response headers have been created to enforce the policy. Instead, the browser already knows that the domain name alone requires HTTPS and performs HSTS before any connection or communication is established.