If you want to include HSTS (HTTP Strict Transport Security) in your Apache server configuration and not in a specific .htaccess file, you could consider using the “Apache Pre-Main Include” section in WHM.
You can reach the “Apache Pre-Main Include” from WHM by following these steps:
- Log into WHM.
- In the “Service Configuration” section, select “Apache Configuration”.
- Select “Include Editor”.
- In the “Pre-Main Include” section, choose the Apache version from the dropdown and then click on “Update”.
This will open an editor for you to add code. Here, you can add your HSTS configuration. Here’s an example of what that might look like:
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
</IfModule>
After adding the above code, click “Update” at the bottom of the page.
This will apply the HSTS policy to all sites hosted on the server. Make sure you have SSL correctly configured for all sites before doing this, as it will force all sites to load over HTTPS.
Once you have done this, it would be advisable to check your Apache configuration syntax to make sure that everything is correct before you restart Apache. You can do this by running the command apachectl configtest. If everything is OK, it will say “Syntax OK”. If not, it will display an error message that can help you troubleshoot the issue.
Remember to replace “31536000” with the desired time in seconds and note that once a browser receives this header, the user will not be able to access your site over HTTP for the duration specified by max-age.
Also, “preload” is optional and it should be used only if you want to submit your site to the HSTS preload list, which is a list of sites hardcoded into browsers as being HTTPS only. It’s a big step because it’s not easily reversible, so ensure your site is fully HTTPS compliant before deciding to add this.
Before making any changes, ensure you have a backup and you are ready to restore the previous state if something goes wrong. Also, it’s always a good idea to test these changes on a non-production server if possible.
