Setting up HSTS on Plesk IIS Server

As part of an SEO refinement project for a client in the alternative health device space, we needed to set HSTS headers, which stands for HTTP Strict-Transport-Security response header.

This header tells browsers to never load any pages, files, or resources via HTTP, and force loading over HTTPS. This prevents man in the middle attacks on unsuspecting site users.

This problem was reported in a Screaming Frog SEO analysis. While a low priority problem, fixing it clearly has its benefits.

There are a few approaches we can use including hard coding the header into the head.php file, but we have a problem, that file does not contain the first output to the screen. It turns out each page on the site has its own header area.

Adding the PHP header directive to each page is not practical at this point. We need to find another way.

Luckily there are other methods like adding directives to the web.config file. This is similar to .htaccess file in Apache servers.

Another approach is modifying the IIS settings within Plesk, to automatically apply these custom headers to any request made to the server. This is the option I decided to go with.

While I was in there, I decided to add some other headers related to security and access. These include X Frame Options, Referrer Policy, Content Type Options. These provide a robust setup, and hopefully this problem falls off our Screaming Frog report.

Categories: