i am not very familiar with HSTS , but i try to implement it on my shared webhosting server.
Seems i have gotten it to work on host with www. but not on apex host.
Hardenize security audit flags it as an issue, audit report: https://www.hardenize.com/report/perroon.eu/1590566369#www_hsts
I do not have access to apache configuration, only .htaccess.
Here is my .htaccess:
# Force from HTTP to HTTPS
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://$1 [R,L]
# Secure this /secured section
<If "%{HTTPS} == 'on'">
AuthUserFile "/home/xtreamro/.htpasswds/perroon.eu/passwd"
AuthName "Restricted Access"
AuthType Basic
require valid-user
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always set X-Frame-Options "deny"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline'"
Header always set Content-Security-Policy "img-src *"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Cache-Control "public"
</If>
Extra notes:
- I use IF in .htaccess, to make sure basic auth is done over https.
- My .htaccess is in root directory of my hosting account, not in domain folder.
Can someone share some light how should i do this without security audits mentioning it ?
