HSTS Header


JCOGS Design

3rd Party (Free)

1 downloads (last 90 days)

Download v1.0.1

EE Version Support

  • ExpressionEngine 3
  • ExpressionEngine 4
  • ExpressionEngine 5
  • ExpressionEngine 6


If an item is crossed out, it might be untested, not applicable or incompatible. Contact the developer to be sure.

  • Updater
  • Multi Site Manager
  • Stand Alone Entry Form
  • Low Variables
  • Content Elements
  • Better Workflow
  • Matrix
  • Grid
  • Webservice
  • Publisher


  • jQuery for the Control Panel

Add-On Type(s)



This plugin allows you to set the HTTP HSTS Header in a template.



Example Usage

This is a single tag that will set the HSTS header to sensible default values or whatever you specify for the parameters available.
Simple usage

This will set the header using default values, equivalent to
    Header set Strict-Transport-Security “max-age=86400”

Advanced usage

  {exp:hsts_header max_age=“31415926” include_sub_domains=“yes” preload=“yes”}
This will set a header equivalent to
    Header set Strict-Transport-Security max-age=31415926; includeSubDomains; preload


  max_age= (value) - Sets the value for the max-age parameter, ignored if set to non-value (default max_age=“86400”)
  include_sub_domains= (yes/no) - Determines whether the includeSubDomains flag is set (default include_sub_domains=“no”)
  preload= (yes/no) - Determines whether the preload flag is set (default preload=“no”)

More information

More information on the Strict-Transport-Security header from OWASP

Download HSTS Header

EE Support Downloads Add-On Version Release Date
3.1.0+ Download 1.0.1 Feb 15, 2019

HSTS Header Links

This entry was created October 24, 2018, 7:19 pm.
This entry was last updated October 8, 2021, 6:53 pm.

Disclaimer: Information about ExpressionEngine add-ons is provided as a service to you, the user, and every member of the ExpressionEngine community. devot:ee is not responsible if you hose, mangle, wreck, or otherwise destroy your EE website by installing an add-on that you found out about at this site, regardless of its rating, Favorites status, commercial or free status, or general popularity. Caveat EEmptor!

Returns: devot:ee has a 30-day return policy on all commercial add-ons sold through devot-ee.com. If you need to return an add-on, do not go to the developer or the developer's site, but rather visit our returns page at https://devot-ee.com/returns to initiate your return. If you have questions, email support@devot-ee.com.

1 Review:

stefanos 10.25.18

Rating - {addon_rating_average}

Nice work for the security enchancement, redirecting HTTP requests to HTTPS.