we would like to add the HSTS header to our page https://www.wipfelglueck.de Our page is running on a shared server, so we don't have access to the httpd.conf. We tried to enable this header via the .htaccess file like this:
<ifmodule mod_headers.c>
DefaultLanguage de
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "sameorigin"
Header set X-Content-Type-Options "nosniff"
Header set X-Permitted-Cross-Domain-Policies "none"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header set Referrer-Policy: no-referrer
<FilesMatch "\.(js|css|xml|gz)$">
Header append Vary Accept-Encoding
</FilesMatch>
<filesMatch ".(ico|jpg|jpeg|png|gif|webp)$">
Header set Cache-Control "max-age=2592000, public"
</filesMatch>
<filesMatch ".(css|js|json|html)$">
Header set Cache-Control "max-age=604800, public"
</filesMatch>
</IfModule>
When we check the page we receive the warning in subject with this text: "The HTTP page at http://wipfelglueck.de sends an HSTS header. This has no effect over HTTP, and should be removed."
I tried some ways to solve this, but was not successful so far. In the web I can't find a solution, so I would be happy if you could give me a hint on this!
Thank you very much!!
Thank you very much for your respond! With the header:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
or
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
there is no error, the page runs, but when I check the page this error is mentioned:
Error: No HSTS header
Response error: No HSTS header is present on the response.
That's strange. What did I wrong?
