Configure HSTS (HTTP Strict Transport Security) in BPS Pro

[Mats]

Hi,

could you please help me to configure HTTP Strict Transport Security (HSTS) in BPS Pro. Tried to achieve that by using “Custom Code” Section 9 (CUSTOM CODE REQUEST METHODS FILTERED). Copied & pasted the original code in .htaccess and then modified it, deleted all the code and pasted instead …

Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

But it doesn’t work that way. Thanks.

[AITpro Admin]

The 9. CUSTOM CODE REQUEST METHODS FILTERED Custom Code text box is only for BPS Request Methods Filtered htaccess code so that you can modify just that code.  No other code should go in that Custom Code text box.  You would either use the 1. CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE text box or the 14. CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE text box.  Personally I recommend using the 1. CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE text box.

Reference Link:  OWASP Secure Headers Project
https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#hsts

[Mats]

Thanks, I tried both possibilities … but failed (box 1 and 14).

Strict-Transport-Security: max-age=31536000; includeSubDomains

Always a “500 Internal Server Error” after activating under tab “Security Modes” and I had to reconfigure. Is there something else possible to implement HSTS (or maybe you could please implement it as an additional feature in one of the next updates (fields: max-length, subdomains, preload)?

[AITpro Admin]

It looks like your code is missing a blank space after the max-age parameter.

Strict-Transport-Security: max-age=31536000[1 blank space here]; includeSubDomains

[Mats]

Thanks, but that doesn’t seem to be the point. I tried in several modes of spelling. The BPS “crashes” (Box 1 & 14) and I had to completely reconfigure it. Today I had to do a new install … . Seems there is no possibility?

[Mats]

Additional hint: I use a multisite installation of WP 4.9.6 and want to implement HSTS for each domain (main site + subdomains).

[AITpro Admin]

Testing has been scheduled for 9am tomorrow morning to see if the HSTS htaccess code works on our Local Development servers and also our Live hosted host servers.  If the HSTS htaccess code works on our servers that does not necessarily mean your host server allows the HSTS htaccess code.  Network/Multisite sites are virtual and not physical.  So I am not sure if that factor is causing the problem.  We will test on both a single standard WordPress installation and a Network/Multisite installation of WordPress.  What type of Network/Multisite site do you have?  Subdirectory or Subdomain?  Is this a WordPress Network/Multisite installation or a WPMU installation?

[Mats]

Thank you very much. It is a WP Network/Multisite installation with subdirectories.

[AITpro Admin]

Oops forgot to ask for the exact HSTS htaccess code that you are using.  Please post the exact HSTS htaccess code if it is different than what you have already posted above.

[AITpro Admin]

The solution is very simple.  The OWASP and other help info pages regarding HSTS are assuming that you are adding the htaccess code to your server’s httpd.conf or vhost conf files or they just left out the very important htaccess directive:  “Header set”.  To add the HSTS code to an htaccess file you need to use this format/code below.  Note:  A space is not required after the max-age parameter and you need to use the double quotes in your htaccess code as shown below.

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

[Mats]

Thank you, I will try another time tomorrow … . In my first post (on top above) I tried an almost similar expression

Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

… but in box 8 . So let’s hope it will work in box 1 or 14. I’ll give feedback then.

[AITpro Admin]

Ok do not forget to include the most important part of the htaccess directive code:  Header always set

[Author]

Posts