• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question How to correctly enable HSTS with Plesk?

K

King555

Regular Pleskian
I'm using Plesk Onyx 17.5 with Apache (no nginx) under Debian 8 x64. Recently I edited the .htaccess files of all my websites to force HTTPS. Then I heard about HSTS and wanted to enable this. I found this article: How to enable HTTP Strict-Transport-Security (HSTS) for a domain on the Plesk server?

I have two questions:

1.) According to the corresponding RFC, the HSTS header should never be sent via HTTP, only via HTTPS. But how can I achieve this with Plesk? When I add the header as described in the article, the header is always sent. Can I use the textbox at the bottom?

2.) This is only partially related to Plesk. The recommendation is to redirect to HTTPS first and then do other redirects like adding www. to the domain. When enabling the two options in Plesk to redirect to www and HTTPS, there is only one redirect, so I have to use the htaccess file (as I always did).

Doing two redirects is not the problem, but what if the user already uses the www version of my domain? Should I redirect him always to the top domain and then add www? And what if he already uses HTTPS, then also redirect to the top domain?
 
Last edited:
Hello

1. to auto redirect to https use this:
a. Imgur
and this
b. Imgur

2. prefer use this https:// DOMAIN .com
anothers domains always redirect to the "main"
 
Thanks, but I'm afraid this does not answer my questions.

Concerning 1.) When I enable this option, is the header I entered in Plesk (as described in my posting) then only sent via HTTPS? I don't think so.

Concerning 2.) What do you mean? That I should not use the www subdomain at all?
 
King555 said:
Thanks, but I'm afraid this does not answer my questions.

Concerning 1.) When I enable this option, is the header I entered in Plesk (as described in my posting) then only sent via HTTPS? I don't think so.

Concerning 2.) What do you mean? That I should not use the www subdomain at all?
Click to expand...

IF you need turn on more SSL options you can try use:
  • Strict-Transport-Security
  • Content-Security-Policy
  • X-Frame-Options
  • X-XSS-Protection
  • X-Content-Type-Options
  • Referrer-Policy
These options its easy enable on wordpress ex. Or use the header HTML/PHP file to enable


the 2 is;

If you have this domain BRINSLEY. COM.BR and in:

Websites & Domains > Hosting Settings

And set the domain no have preference with www or without www. Just set the all redir to the SSL domain and thats all. put www its no more imperative to use.
just type WWW.domain .com and no have any issues if with o without www. its the same address...
 
You must log in or register to reply here.

Similar threads

L
Issue Get WWW and HTTPS Redirects working together for HSTS Preload
Replies
1
Views
413
Sebahat.hadzhi
Sebahat.hadzhi
M
Resolved Domain name issue -- certificate for a domain uses server domain. But can't see how or why
Replies
9
Views
2K
MHC_1
M
P
Resolved Nginx HTTP3 cause invalid redirect on WordPress
Replies
2
Views
2K
Paulo_o
P
F
Issue OCSP for Plesk-Panel does not work
Replies
5
Views
821
Peter Debik
P
S
Issue htaccess header missing
Replies
1
Views
302
SKDamon
S
Back
Top