Is there an option to add HSTS to a site? I've created the directive snippet: <IfModule mod_headers.c> Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS </IfModule> but that snippet needs to be added manually for each site, while just enabling an "HSTS"-option is much easier. I've found in the file server/conf/vhost.conf.master something similar: # <IfModule mod_headers.c> # Header always add Strict-Transport-Security "max-age=15768000" # </IfModule> but I hesitate to modify this file, because at an update these changes will be overwritten. Because of this commented text I was wondering if there would be an easy option to enable HSTS.
You can copy the vhost master from conf folder to conf-custom folder to in order to customize i.e. uncomment that commented lines, this way they will be update proof.
Thank you for your answer, but this is not exactly what I meant. Copying and modifying this file to the custom-conf directory changes this for all new and modified sites. What I'm looking for is something like a switch to enable this for individual websites. Apparently there is something already prepared to enable HSTS. Or is this for a future development?
Afaik it was commented in the vhost.conf template in 2016, because it probably led to issues for non-SSL secured vhosts when it was set to be enabled back then. Personally I'm not sure if this is really a necessary setting which needs to be in the UI since people can set this setting via the directive snippets, although I wouldn't mind it if it was implemented.
Other than the snippet and the conf-custom, there is no other easy way, I think. You can surely request it as a feature but then that will be up to the developers or any other contributors to decide on whether to spend their time coding and integrating that, which also means spending time maintaining that as well.
