Enable Apache HSTS on SSL enable sites

  • Hi,

    A little suggestion here, what about enable, by default or by option, the ability to get HSTS (HTTP Strict Transport Security) on ?

    This will bring a new layer in the security when using SSL certificates.

    Doing that, Apache header module need to be enabled.

    So, what's your opinion on this ?

  • Opinion is that the admin can enable it itself ;)


  • Sure @Nuxwin, but if I post it there, it's because, when an update will be made, the modification need to be redone again and again^^

    Well, I was just posting this there just in case, and I'll made this manually as I do it for DNS and some other little conf, not the issue for me :)

  • @Ninos, if only I was having such time to develop such plugin, I'll not be there asking this to be added :)

    But actually, I didn't have the time for it, and in the end, the "Template Editor" plugin will also, at the end, provide such feature (by modifying the template that generate Apache SSL conf files).

    So for now, as this doesn't seems to be a priority at all, I'll do the manual way as I always do so far ( :) ) and will wait the TE plugin to "fix" that properly :P

  • Re


    I'll add that for the 1.2.x version ;) Please open a ticket.


  • As a plugin would be preferred, since all IE versions prior to 12 do not support HSTS.

    And yes, just drop the bomb - People can just use a "real" browser Chrome,Firefox what ever - But as a fact, we still have many IE users especially clients of those who use i-MSCP to host clients.
    For those interested, it is confirmed to be introduced in IE 12: https://threatpost.com/ie-12-t…ncryption-protocol/105266