we would like to add the HSTS header to our page https://www.wipfelglueck.de
Our page is running on a shared server, so we don’t have access to the httpd.conf. We tried to enable this header via the .htaccess file like this:
<ifmodule mod_headers.c> DefaultLanguage de Header set X-XSS-Protection "1; mode=block" Header set X-Frame-Options "sameorigin" Header set X-Content-Type-Options "nosniff" Header set X-Permitted-Cross-Domain-Policies "none" Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" Header set Referrer-Policy: no-referrer <FilesMatch ".(js|css|xml|gz)$"> Header append Vary Accept-Encoding </FilesMatch> <filesMatch ".(ico|jpg|jpeg|png|gif|webp)$"> Header set Cache-Control "max-age=2592000, public" </filesMatch> <filesMatch ".(css|js|json|html)$"> Header set Cache-Control "max-age=604800, public" </filesMatch> </IfModule>
When we check the page we receive the warning in subject with this text:
“The HTTP page at http://wipfelglueck.de sends an HSTS header. This has no effect over HTTP, and should be removed.”
I tried some ways to solve this, but was not successful so far. In the web I can’t find a solution, so I would be happy if you could give me a hint on this!
Thank you very much!!