I am looking at setting up HSTS as described at https://hstspreload.org for better security and speed on my websites.
For those who are not familiar with HSTS, it basically provides preload information to browsers that your site should only be accessible over SSL. I’ve wavered over this until now, but I can’t see myself changing any of my sites back to non SSL, so this seems like a good step.
In essence, visitors are sent straight to the https version with no redirect, but you must maintain a valid SSL certificate or your site could be unreachable for months. My new web host applies SSL certificates to websites by default now as soon as they are added, which suggests http sites will be history before long.
From what I’ve read, this bit of text below should be included in the metadata of the site prior to be submitted to preload lists. When I add it to the page settings under the add code Header section and preview or publish, the very same text is visible on the web page.
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
If I put the code in brackets like below it no longer shows up on the page, but I still get an error message when attempting to validate, which says there is no HSTS header present on the response.
<Strict-Transport-Security: max-age=63072000; includeSubDomains; preload />
Does anybody know the correct way to do this and where I am going wrong?