Support

Admin Tools

#36790 HTACCES HSTS

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Thursday, 14 April 2022 20:17 CDT

screengrafixx

Hello,

in the generation of htaccess I can set HSTS header to Yes and it writes me the following in the file:Header always set Strict-Transport-Security "max-age=31536000" env=HTTPS

But I need the following:
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS

How can I set this?

nicholas
Akeeba Staff
Manager

The preload flag does nothing. For the past several years (at this point I've lost count) you need to submit your site to https://hstspreload.org/ and it will be included in the HSTS preload list in the next version of each browser.

The includeSubDomains flag is not needed. Both your bare domain name (e.g. example.com) and your www subdomain (e.g. www.example.com) will be loaded with the same .htaccess file, therefore they will both get HSTS applied. In fact, HSTS and the redirection to HTTPS will precede any non-www to www (or vice-versa) redirection which is why both the bare domain and the www subdomain need to have a valid TLS certificate when you enable the HSTS option.

Therefore the includeSubDomains flag would only tell the browser that any other subdomain — even if it's a CNAME — will also have HSTS applied. This is problematic if you ever need a subdomain which is not HTTPS-only. There are some cases where you actually need that. Therefore it's prudent to have each subdomain decide whether to send an HSTS header or not.

Some very, very old tools to check HSTS would recommend these two flags without putting much thought into it. They are NOT necessary for HSTS to apply to your Joomla site and that's the objective we are fulfilling with the HSTS feature in Admin Tools' .htaccess Maker. The way it's implemented now is sensible for that context. If you have a legitimate use case for the includeSubDomains flag it means you understand enough about your server to know what you need to do. If you have to ask me how to do it, it means you don't actually need it. Hint: every instance of “Header set” supersedes any previous ones; you can include code at the bottom of the generated .htaccess therefore running it last.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!