Facebook
Twitter
I'm using Plesk Onyx 17.5 with Apache (no nginx) under Debian 8 x64. Recently I edited the .htaccess files of all my websites to force HTTPS. Then I heard about HSTS and wanted to enable this. I found this article: How to enable HTTP Strict-Transport-Security (HSTS) for a domain on the Plesk server?
I have two questions:
1.) According to the corresponding RFC, the HSTS header should never be sent via HTTP, only via HTTPS. But how can I achieve this with Plesk? When I add the header as described in the article, the header is always sent. Can I use the textbox at the bottom?
2.) This is only partially related to Plesk. The recommendation is to redirect to HTTPS first and then do other redirects like adding www. to the domain. When enabling the two options in Plesk to redirect to www and HTTPS, there is only one redirect, so I have to use the htaccess file (as I always did).
Doing two redirects is not the problem, but what if the user already uses the www version of my domain? Should I redirect him always to the top domain and then add www? And what if he already uses HTTPS, then also redirect to the top domain?
I have two questions:
1.) According to the corresponding RFC, the HSTS header should never be sent via HTTP, only via HTTPS. But how can I achieve this with Plesk? When I add the header as described in the article, the header is always sent. Can I use the textbox at the bottom?
2.) This is only partially related to Plesk. The recommendation is to redirect to HTTPS first and then do other redirects like adding www. to the domain. When enabling the two options in Plesk to redirect to www and HTTPS, there is only one redirect, so I have to use the htaccess file (as I always did).
Doing two redirects is not the problem, but what if the user already uses the www version of my domain? Should I redirect him always to the top domain and then add www? And what if he already uses HTTPS, then also redirect to the top domain?
Last edited:
