Version: 1.7.2
How to Enable HSTS on a Domain in OpenPanel
HSTS (HTTP Strict Transport Security) can be enabled either globally for all domains or individually for specific domains in OpenPanel.
Enabling HSTS for a Specific Domain
As an End User
If you are an OpenPanel user:
- Ensure you have access to the edit_vhost feature. If enabled, you will see Edit VirtualHosts under the Domains section.
- Click Edit VirtualHosts and select the domain you want to configure.
- In the editor, add the HSTS header only within the HTTPS section.
- Use the correct syntax depending on your web server (Nginx, Apache, OpenLiteSpeed, etc.).
- Save your changes.
Example Configurations:
OpenLiteSpeed
Add this in the Rewrite/Headers section for the HTTPS listener:
Header always set Strict-Transport-Security "max-age=2592000; includeSubDomains; preload"
Apache
Add the following inside the block:
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=2592000; includeSubDomains; preload"
</IfModule>
Nginx
Add this inside the server block:
add_header Strict-Transport-Security "max-age=2592000; includeSubDomains; preload" always;
As an Administrator
If you have OpenAdmin or root SSH access:
- Open the domain’s Caddy vhost configuration file:
/etc/openpanel/caddy/domains/DOMAIN_NAME.TLD.conf
- Add the following HSTS header just before the
tls {line:
# HSTS
header {
Strict-Transport-Security "max-age=2592000; includeSubDomains; preload"
}
- Save the file and reload Caddy.
Enabling HSTS for All Domains
To apply HSTS automatically to all domains on the server:
- Edit the default domain templates:
/etc/openpanel/caddy/templates/domain.conf_with_modsec
/etc/openpanel/caddy/templates/domain.conf
- Add the HSTS header just before the
tls {line in each template:
# HSTS
header {
Strict-Transport-Security "max-age=2592000; includeSubDomains; preload"
}
- Save the templates. All new domains created afterward will inherit this HSTS configuration.
Was this helpful?