OLS how to enable HSTS

[ivmm]

I added the

Header always set Strict-Transport-Security "max-age=15768000"

to the .htaccess it was not work ,or added to the admin panel -- rewrite also not work

[ghost]

How you fix it?

[litespeedtech]

You can create a (static) context, add header directive to "Header Operations".

[ghost]

I know about "Context" tab. But HSTS header need add only for HTTP's, on 443 port. Otherwise it will cause an error: Warning: Unnecessary HSTS header over HTTP. But I've already solved this problem. thank you.

[qtwrk]

I know about "Context" tab. But HSTS header need add only for HTTP's, on 443 port. Otherwise it will cause an error: Warning: Unnecessary HSTS header over HTTP. But I've already solved this problem. thank you.

I am curious about this as well , would you mind to share how did you solve it ?

[ghost]

I created separate Virtual Host, set the HSTS header in the Context tab and after mapping VHost in Listeners.

[qtwrk]

yes I know that part , but does that just send HSTS out regardless http or https traffic ?

[ghost]

HSTS assumes availability only over HTTPS protocol on 443 Port. It won't be available on HTTP.

[aayubkh]

@litespeedtech @cyb3rdroid @qtwrk Could you please put some light on how to fix this: I set the Context correctly yet the HSTS check still says my website is sending an HSTS header from http://site.com.

Checked at https://hstspreload.org/

Here are my Rewrite Rules for this vHost:

RewriteCond %{HTTP_HOST} !^domain\.com$
RewriteRule (.*)$ https://site.com/$1 [R=301,L]

Here's my vHost conf: https://pastebin.com/raw/yLpRf1mJ

Please help, how to fix it?

[qtwrk]

@cyb3rdroid has already explained what he did : create a 2 vhosts , one for HTTP , and one for HTTPS , add HTTPS redirection on HTTP vhost , and then add HSTS header on HTTPS vhost

[aayubkh]

@cyb3rdroid has already explained what he did : create a 2 vhosts , one for HTTP , and one for HTTPS , add HTTPS redirection on HTTP vhost , and then add HSTS header on HTTPS vhost

Thanks for the swift reply... I can't get to where you are pointing, pardon me... :/

[aayubkh]

@qtwrk can you please help?

[qtwrk]

https://pastebin.com/raw/yLpRf1mJ

you have one vhost already , create another , with same configuration , except that context , and point it to your HTTP traffic listener

I think you can also just ignore that warning , it doesn't hurt anyway , it shows "unnecessary" , it's not an "error"