How to set up HSTS headers on Accelerated Domains

Every website that uses Accelerated Domains will, by default, get a standard set of HSTS headers. These headers are set from within Accelerated Domains. But how can you adjust this?

How does HSTS work on Accelerated Domains?

To understand how we can adjust these headers, it’s important to understand how they are set using Accelerated Domains. For every page sent a set of HSTS headers is included. The exact content of these headers depends on the choices you make, the options are listed below. Accelerated Domains will serve a set of fallback headers. This means that if you don’t specify your own HSTS headers, the default will be sent:

Strict-Transport-Security: max-age=31536000

In all other cases, the headers set by your Bolt will take precedence over this setting.

Setting up HSTS headers on your site

If you wish to use a different set of headers, you must instruct your environment to send these along with the requests you serve. The easiest way to do this is by adding the needed code to your .htaccess file. There are generally three settings you can use:

Strict-Transport-Security: max-age=<expire-time>

Strict-Transport-Security: max-age=<expire-time>; includeSubDomains

Strict-Transport-Security: max-age=<expire-time>; includeSubDomains; preload

Setting HSTS for this site only, for one year

If you only want to set the HSTS header for the hostname used by the site itself, you can add the following line to your .htaccess file:

Header setifempty Strict-Transport-Security "max-age=31536000" 

Setting HSTS for this site and all subdomains, for one year

If we want to include subdomains, we must change it a bit. Keep in mind that you can only use this setting on an apex domain (so without the www. prefix). You can add the following line to your .htaccess file:

Header setifempty Strict-Transport-Security "max-age=31536000; includeSubDomains" 

Caution: Using includeSubDomains can have unexpected consequences. Once configured, any browser that visits the site with it enabled, will also force HTTPS traffic on all sub-domains. This could be a local development, or perhaps something that the facilities team manage for your building. If they are not also available by HTTPS, they will no longer be accessible via the browser(s) that have visited the website.

Setting HSTS for this site and all subdomains, for two years, including preload

If you want to include your domain to the preload list we need to bump the maximum age of the setting to two years. More information on this setting can be found in the documentation.

Header setifempty Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" 

Testing the headers

Once you’ve made changes you’ll want to check if you did them correctly. There is one thing to keep in mind here: these headers are part of the pages being sent. Since Accelerated Domains delivers most pages from cache the chance is high that you won’t see any changes right away. First purge the cache of Accelerated Domains. Once this is done, you can examine the headers sent in the developer console of your browser, or using an online service that shows them.

Conclusion

To sum up, Accelerated Domains comes with a fallback set of default HSTS headers. These headers are safe to use with any site. If you need to alter them for any reason, you can use the examples listed to instruct your site to send the headers you need. Accelerated Domains will respect these headers sent and pass them along to your visitors.