0

I have the following lines in my .htaccess file.

<ifModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains; preload" env=HTTPS
</ifModule>

However I know my site isn't sending the HSTS headers.

HTTP/1.1 200 OK
Date: Mon, 20 Aug 2018 17:15:20 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Pingback: https://www.xxxxxx.co.uk/xmlrpc.php
Link: <https://www.xxxxxxxx.co.uk/>; rel=shortlink, <https://www.xxxxx.co.uk/wp-json/>; rel="https://github.com/WP-API/WP-API"
Set-Cookie: PHPSESSID=ch4b175rshdlqwlrq3ij8cgo441; path=/
Content-Type: text/html; charset=UTF-8

If I run apachectl -M I can see on the list headers_module (shared) so know the module's there.

Is there anywhere else that could be overriding these settings? All other settings set in the htaccess file work fine.

Bysander
  • 119
  • 3
  • 9

1 Answers1

0

Some things to confirm are that your htaccess is being read at all for that request. One simple way is to type gibberish into it, and if you don't get an error, it's not being read.

The most frequent reasons it's not read:

  • AllowOverride for that directory scope is None
  • Your test request is not served out of the filesystem at all (Proxy)
covener
  • 17,402
  • 2
  • 31
  • 45
  • It's a WHM/cPanel based server - which has AllowOverride set at All. *ALL* other commands on the `.htaccess` file are honoured - it's really stumping me how it's not allowing it through – Bysander Aug 21 '18 at 10:59
  • I should also add that the addition of gibberish causes a 500 server error :-( – Bysander Aug 21 '18 at 14:46