What does the directadmin.conf HSTS parameter do?

In my attempt to roll out HSTS for all clients, I have been searching around and found a lot of customizations in the vhosts templates. Though I have no doubt that will work, I also came across the HSTS header: HTTP Strict Transport Security feature that was added with DA 1.49.

When reading the feature page it is not entirely clear if this is supposed to work for clients, or only for the 2222 pages. Also the Release Candidate post was not clear to me; All traffic to the control panel, or also individual domains?

HSTS Header - ability to redirect all http traffic to https before any client connection (careful: affects apache with same host).

Click to expand...

So eventually I just tried it by adding 'hsts=5184000' to directadmin.conf, ran './build rewrite_confs' (not documented, but I assumed it would make sense to rewrite the vhosts), but no avail. Nor my client's sites, nor the example.com:2222 page shows the HSTS header.

What is 'hsts=5184000' supposed to do?

Hello,

The article "HSTS header: HTTP Strict Transport Security" https://www.directadmin.com/features.php?id=1776 says:

1. it will only be added to the login page, and not any other page.
2. See "IMPORTANT" below

Then section "IMPORTANT" gives even more insights.

It comes very clear that the feature is used only for Directadmin (not for apache/nginx). Enabling the feature won't add the HSTS header in Nginx/Apache.

Hi Alex,

I read that page multiple times yesterday, yet I did not see that line. It is indeed pretty clear to me now.
I asked here because the header also did not show on any DA page (including the login page). Now, after knowing where to look, it appeared after restarting the directadmin service.

Thanks for helping me out. I'll use the custom vhosts templates then.

How did you check the header? It won't be added into HTML code.

I used my browsers development tools and telerik fiddler. But like I said, it worked after restarting directadmin