HSTS file issue

Otávio Serra

• April 23, 2018 13:27

Hi, I filled HSTS's line command on .htaccess and uploaded it to root host of one cPanel account [removed.tld.br]. But HSTS appeared to be disabled on one test website. This is the command putted on .htaccess file and uploaded to root of this account's site [removed.tld.br]: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS This is the test site I used that trhowed this problem: [removed] This is the result on report: Strict Transport Security (HSTS) No HSTS Preloading Not in: Chrome Edge Firefox IE Using curl how test tool and same problem: [ec2-user@wp1 ~]$ curl -si removed.tld | grep ^Strict [ec2-user@wp1 ~]$ Plus, I entered on WHM // Software // EasyApache 4 and verified that mob_header is ENABLE on Apache configuration. What is wrong? Any one can help me? Thanks

• 

  Hedloff

  • April 23, 2018 18:33

  Did you try to add it in "Include Editor" in WHM like this:

  0
• 

  Otávio Serra

  • April 23, 2018 18:53

  Did you try to add it in "Include Editor" in WHM like this:

  
  No. I need HSTS only for one account. So I need use .htaccess. Your path apply globally.

  0
• 

  cPanelMichael

  • April 23, 2018 18:55

  Hello, Can you try testing with the rules referenced on the following post and let us know if it helps? Thank you.

  0
• 

  Otávio Serra

  • April 23, 2018 19:32

  Hello, Can you try testing with the rules referenced on the following post and let us know if it helps? . I can't redirect my domain to www. because I need URL without www.

  0
• 

  cPanelMichael

  • April 23, 2018 20:05

  Hello, You may want to try it without the redirect entry to see if it helps. Additionally, here are a couple of other threads with discussion on this topic: Note that if you prefer to enable it for a specific domain name as opposed to globally, you can use the instructions from the following thread:
  Thank you.

  0
• 

  Otávio Serra

  • April 23, 2018 20:15

  I tried it but didn't work see: # Force SSL: RewriteCond %{HTTPS} off RewriteRule (.*) RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] # END WordPress

  0
• 

  cPanelMichael

  • April 24, 2018 14:39

  Hello @Ot"vio Serra, Can you verify a trusted SSL certificate is installed for the domain name you are testing with, as opposed to a self-signed SSL certificate? Also, try testing via the command line using cURL. EX: curl -s -D- https://domain.tld/ | grep Strict
  If it's successful, the output should look like this: # curl -s -D- https://domain.tld/ | grep Strict Strict-Transport-Security: max-age=63072000
  Additionally, use "WHM >> MultiPHP Manager" to check to see which PHP handler is associated with the version of PHP assigned to this account. For instance, headers are stripped as a security measure when using CGI as the handler. Thus, you'd need to use a different handler or add the entries directly to the virtual host instead of the .htaccess file per the instructions at: Modify Apache Virtual Hosts with Include Files - EasyApache 4 - cPanel Documentation Thank you.

  0

Please sign in to leave a comment.