Let us perform a general overview of the HSTS Policy implementation for the most widespread server types. The following guidelines will be useful for web administrators who have the root access to the servers’ configuration files.
- On Nginx, the HSTS Header field needs to be added to the corresponding Virtual Host record. It begins with “add_header” parameter and all of the directives of the header are enveloped by single quotes, like in the example below:
- add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
- Apache administrators should update the configuration file with the HSTS header beginning with “Header always set” parameter” and the header’s directives should be enveloped by double quotes. The example is given below:
- Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
- On Microsoft servers running IIS (Internet Information Services) the code, specified below, needs to be added to the central “web.config” file (without the spaces after < signs in the beginning of the lines):
- < httpProtocol>
< customHeaders>
< add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains; preload "/>
< /customHeaders>
< /httpProtocol>
- < httpProtocol>
