I went on a course of The Best TLS Training and thought i should implement what i learn on my domain. Previously, QambarRaza.com was Grade A on https://www.ssllabs.com/ and Grade ‘F’ on https://securityheaders.com/.

But special thanks to https://scotthelme.co.uk/, i was able to make it Grade ‘A+’ on both security analyser websites.

Its very easy to do, i only spent 5 minutes to achieve this. You can do it to even if you don’t have access to nginx server you can do it via passing headers in PHP like i did:

//If the HTTPS is not found to be "on"
if(!isset($_SERVER["HTTPS"]) || $_SERVER["HTTPS"] != "on")
{
    //Tell the browser to redirect to the HTTPS URL.
    header("Location: https://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]);
    //Prevent the rest of the script from executing.
    exit;
}

header("strict-transport-security: max-age=31536000; includeSubDomains; preload");
header("X-Frame-Options: SAMEORIGIN");
header("X-Content-Type-Options: nosniff");
header("X-XSS-Protection: 1; mode=block");
header("Referrer-Policy: no-referrer");
header("Content-Security-Policy: upgrade-insecure-requests");

And if you want to go one step further you can also submit your website to https://hstspreload.org/ which will make all browsers always open your website in HTTPS but becareful about it as you can break things as your http endpoints will stop working.

Enjoy!