Support for HTTP Strict Transport Security / HSTS

I'm wondering if Plesk also will implent HTTP Strict Transport (or HSTS) Security in the GUI. It's an extra layer of security for sites who need to be extra secure.

It's being done with a special header (mod_headers for Apache) and a TLS connection. The client (browser) can then verify if the server is the real server and not a man-in-the-middle server/attack.

It's as simple as adding the following code to the vhost config (HTTPS only!):

Apache:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Nginx:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

441 votes

linqlol shared this idea · Nov 26, 2013 · Report… · Admin →

completed ·

AdminPlesk Staff (Community Manager, Plesk International GmbH) responded · Jun 5, 2019

Hi!

The functionality is now available in the SSL It! Plesk Extension: https://ext.plesk.com/packages/3c4117f6-c05c-4d3b-9173-60f10096a9c4-sslit

How to find it:
1. install SSL It! Extension (it’s available for Plesk 17.8+)
2. go to > SSL/TLS Certificates
3. if there is no SSL Certificate installed on the domain – issue one (using, for example, free Let’s Encrypt SSL Certificate)
4. if an SSL Certificate is installed on the domain, there is a switcher HSTS, turn it on
5. Voila!

We would appreciate hearing your feedback on the implementation of this functionality. Thanks in advance!

Show previous admin responses (2)

An error occurred while saving the comment

Denver Prophit Jr. commented · January 12, 2018 12:32 AM · Report

Your KB needs to update the NGINX HSTS with the always parameter.

Submitting...
Alexander Yamshanov commented · January 11, 2018 8:57 PM · Report

Hi all,

Did you see a KB: https://support.plesk.com/hc/en-us/articles/115002234393-How-to-enable-Strict-Transport-Security-HSTS-for-domain-on-a-Linux-or-Windows-servers- ?

Submitting...
mrwolf commented · June 29, 2017 7:33 PM · Report

I was tempted to copy/paste the solutions given on the forum and here....
Later I noticed I needed to change them as they were giving problems.

One is minor and only involves the testing of the domain by SSLlabs.
It turned out that SSLlabs chokes on websites that need credentials to test HSTS
These sites need the "always" attribute.

The other one is the flag "includeSubDomains".
As most will use this nginx directive server wide and they don't really know for a 100% what their clients are up to, you shouldn't use that flag.
I had a client that was running a plain http-only domain on a subdomain on some other server.
That site stopped working for all clients that previously went to their main site.
IMHO the flag includeSubDomains doesn't add anything extra for the site you're securing.
It limits all the sites of that domain to https.
This may be sensible for 1 specific domain, but most likely not a decision for you to make for ALL your clients.

add_header Strict-Transport-Security 'max-age=15768000' always;

Submitting...
Nelsir Carlos Luterek commented · June 22, 2017 8:06 AM · Report

good afternoon
This feature will be very useful since many internet sites like google chrome browser already uses this technology, my vote is to be implemented in plesk.

Submitting...
Ann commented · May 9, 2017 9:48 PM · Report

+1

Submitting...
iadeo commented · April 8, 2017 11:18 AM · Report

+1

Submitting...
Daniel commented · March 8, 2017 11:46 PM · Report

+1

Submitting...
Jordan Schelew commented · February 19, 2017 4:26 PM · Report

I'm in favour of this as well. But a quick warning: make sure to remove the 'includeSubDomains' if the domain is being used for the Quick Preview URL.

Submitting...
Peter Downes commented · January 24, 2017 4:30 AM · Report

+1

Submitting...
Abdullah commented · January 11, 2017 3:54 AM · Report

A very simple feature to implement, yet it's been 3+ years. Having to patch it through HTTP directives.

Submitting...
[Deleted User] commented · December 30, 2016 10:44 AM · Report

Great idea, hopefully it will be added to Plesk (12.5 would be great).

Submitting...
Anonymous commented · December 11, 2016 12:27 PM · Report

+1

Submitting...
DerDanilo commented · December 10, 2016 8:40 AM · Report

This could be added for each subdomain/domain config page, just add a tickbox like the one that allows recirect from http to https.

Thanks!

Submitting...
Florian commented · October 24, 2016 12:03 AM · Report

push

Submitting...
Michael Lux commented · June 27, 2016 6:39 AM · Report

I'm already using HSTS via custom headers and would greatly appreciate a standard, less error-prone way for always using HSTS headers and automatic redirect to HTTPS.

@Marco Marsala: HSTS is a great technique and so far the only promising technique to stop SSL-Stripping attacks, for example in public WiFis.
The reason for big sites not using this is that it can break backwards compatibility in some scenarios, which seem more important to them than the security of their customers.

Submitting...
Lloyd Day commented · June 22, 2016 4:56 AM · Report

In my opinion, you would want something like the preferred domain setting so you could set https preferred which would...

- add a 301 redirect to https (in Apache HTTP)
- add the HSTS header (in Apache HTTPS)
- along with corresponding 301 redirect in Nginx

Like...https://www.lloyd-day.me/secure-redirects-in-plesk/
Regards

Lloyd

Submitting...
Adam commented · February 19, 2016 2:41 AM · Report

+1

Submitting...
Marco Marsala commented · February 16, 2016 9:35 AM · Report

No big sites, like Facebook, use that header.

Submitting...
ps commented · January 3, 2016 9:38 AM · Report

+1

Submitting...
Web Master commented · August 8, 2015 1:44 AM · Report

what's keeping Plesk so long to implement this?

Submitting...