Support for HTTP Strict Transport Security / HSTS

I'm wondering if Plesk also will implent HTTP Strict Transport (or HSTS) Security in the GUI. It's an extra layer of security for sites who need to be extra secure.

It's being done with a special header (mod_headers for Apache) and a TLS connection. The client (browser) can then verify if the server is the real server and not a man-in-the-middle server/attack.

It's as simple as adding the following code to the vhost config (HTTPS only!):

Apache:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Nginx:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

441 votes

linqlol shared this idea · Nov 26, 2013 · Report… · Admin →

completed ·

AdminPlesk Staff (Community Manager, Plesk International GmbH) responded · Jun 5, 2019

Hi!

The functionality is now available in the SSL It! Plesk Extension: https://ext.plesk.com/packages/3c4117f6-c05c-4d3b-9173-60f10096a9c4-sslit

How to find it:
1. install SSL It! Extension (it’s available for Plesk 17.8+)
2. go to > SSL/TLS Certificates
3. if there is no SSL Certificate installed on the domain – issue one (using, for example, free Let’s Encrypt SSL Certificate)
4. if an SSL Certificate is installed on the domain, there is a switcher HSTS, turn it on
5. Voila!

We would appreciate hearing your feedback on the implementation of this functionality. Thanks in advance!

Show previous admin responses (2)

An error occurred while saving the comment

Dave commented · February 2, 2023 10:00 PM · Report

We need preload

Submitting...
Iñigo commented · December 11, 2022 10:54 PM · Report

Add preload support please

Submitting...
William Gérald Blondel commented · June 23, 2021 8:34 AM · Report

The work was half done! No support for preload!

Submitting...
Ben commented · February 1, 2021 1:16 PM · Report

Preload!

Submitting...
Tim Wakeling commented · December 1, 2020 9:05 PM · Report

Preload please!

Submitting...
André Kasper commented · November 10, 2020 8:54 PM · Report

preload!

Submitting...
Anonymous commented · November 10, 2020 11:03 AM · Report

preload

Submitting...
Nikolai Graf-Rüssel commented · October 5, 2020 1:25 PM · Report

preload

Submitting...
David commented · June 14, 2020 7:32 PM · Report

Please, add preload feature and 1 year option

Submitting...
Anonymous commented · April 30, 2020 6:15 AM · Report

it needs to have the preload option !

Submitting...
Remigio commented · October 31, 2019 2:38 AM · Report

Please add "preload" header feature.

Submitting...
Anonymous commented · July 24, 2019 3:14 PM · Report

Thank you very much for the extension! HSTS preloading would a great feature too. In case you added it, please provide an option for 1 year HSTS header too. Two years is not necessary for most use cases.

Submitting...
Michael Lux commented · June 20, 2019 5:46 AM · Report

Great stuff. Everything important in an easy-to-use UI. Two improvement suggestions:
1. Please add optional HSTS preloading. It's an expert feature, but it makes the whole thing even better!
2. Maybe a link to a sever config checker like Qualys SSL Labs to check if everything is working as configured? Useful, for instance, because the plugin won't notice if you already have another HSTS header in place in Server Config...

@Adrian Mörchen:
You didn't get what HSTS is about, I'm afraid? Ever heard of TLS/SSL stripping?
Sure, if the TLS certificate renewal fails (99 % of the time because the server admin is an idiot and blocked something or screwed up configuration), then it's a p.i.t.a. So is every other configuration error that prevents your domain from working.
I take care of dozens of websites, all protected with Let's encrypt and HSTS. Guess how often I experienced the renewal problem? Exactly once, because of a screwed up nginx config file.

Submitting...
Christian Heutger commented · May 6, 2019 2:15 AM · Report

I'm not sure, if that's the best place, but there seems to be a "bug" in your current SEO safe redirects setup regarding HSTS and primary using the HSTS preload list.

This list requires, that the headers are sent from https://example.com (maybe redirected by http://example.com and not first redirecting to http://www.example.com and then https://www.example.com) as the preload submission tool rejects such redirects.

So your SEO safe redirects are working somehow the "wrong order", if HSTS submission is planned.

Submitting...
Adrian Mörchen commented · December 6, 2018 4:06 AM · Report

-1

HSTS also has some disadvantage.

I.e. ever tried to open a site where for whatever reason the generation of a new certificate failed? p**n in the *ss. (alternative HSTS with very low max-age, but then it isn't useful at all)

Instead there should be a global option for "always redirect to https".

Submitting...
Michael Koontz commented · July 28, 2018 10:41 PM · Report

The addition of HSTS support in Plesk would be a great addition. Please consider adding this soon.

Submitting...
Stevans commented · July 18, 2018 11:32 PM · Report

+1

Submitting...
Anonymous commented · June 30, 2018 6:13 AM · Report

+1
I plan to switch on hsts this year on all https websites, with or without plesk, but would be quite disappointed if not by plesk (no track of what is done,..)

Submitting...
[Deleted User] commented · June 30, 2018 4:19 AM · Report

+1

Submitting...
H50K commented · January 17, 2018 6:19 AM · Report

TRUE, you can set up all this by using "Additional Headers" or .htaccess.

In order not to use .htaccess (slows down a bit) u better use Plesk settings wich should end in .conf!

It would be great if you ad such stuff like the HSTS - Header as a templates.
wth do i have an helpful system like plesk to make my life more easy?!? :-)

Submitting...