Enable HSTS for Hestia admin panel

erador · June 2, 2026, 9:33am

Sorry if this has been answered elsewhere, I didn’t find it by search.

Is there an official way to enable HSTS for the control panel? i.e. on port 8083?

Cheers

sahsanu · June 2, 2026, 10:35am

There isn’t one. You could manually modify the server block in /usr/local/hestia/nginx/conf/nginx.conf to add it, but your changes will be overwritten during the next update.

nu01 · June 2, 2026, 10:41am

Also, the CLI has an option to add it:

Add Domains HSTS

Getting it added via: hestiacp/bin/v-add-web-domain-ssl-hsts at d4b387a4f03056df2bbee4ebcb52fa50ab949d09 · hestiacp/hestiacp · GitHub

sahsanu · June 2, 2026, 10:47am

That won’t add HSTS to the control panel on port 8083.

erador · June 2, 2026, 11:10am

yeah that’s not ideal then - particularly with automatic updates enabled, do you know if it is likely to be added as a toggle in the future? or if it’s possible that the upstream package would be updated to optionally include custom snippets if they exist to avoid the wipeout issue.

sahsanu · June 2, 2026, 12:16pm

Sorry, I don’t know whether there are plans to add it, but you could use a workaround by creating a post install script that Hestia executes on every update, allowing you to add the HSTS conf.

mkdir -p /etc/hestiacp/hooks
touch /etc/hestiacp/hooks/post_install.sh
chmod +x /etc/hestiacp/hooks/post_install.sh
cat > /etc/hestiacp/hooks/post_install.sh << 'EOF'
#!/usr/bin/env bash
HESTIA="/usr/local/hestia"
NGINX_CONF="$HESTIA/nginx/conf/nginx.conf"
NGINX_BIN="$HESTIA/nginx/sbin/hestia-nginx"
NGINX_SERVICE="hestia.service"

if [[ ! -f "$NGINX_CONF" ]]; then
    echo "ERROR: $NGINX_CONF not found"
    exit 1
fi

if [[ ! -x "$NGINX_BIN" ]]; then
    echo "ERROR: $NGINX_BIN not found or not executable"
    exit 1
fi

if grep -q "Strict-Transport-Security" "$NGINX_CONF"; then
    exit 0
fi

if ! grep -q "ssl_certificate_key" "$NGINX_CONF"; then
    echo "ERROR: 'ssl_certificate_key' not found in $NGINX_CONF, cannot insert HSTS header"
    exit 1
fi

if ! sed -i.bak '/ssl_certificate_key/a\\n\t\t# HSTS\n\t\tadd_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;' "$NGINX_CONF"; then
    echo "ERROR: sed failed, restoring backup"
    mv "$NGINX_CONF.bak" "$NGINX_CONF"
    exit 1
fi

if ! "$NGINX_BIN" -t &>/dev/null; then
    echo "ERROR: nginx syntax check failed, restoring backup"
    mv "$NGINX_CONF.bak" "$NGINX_CONF"
    exit 1
fi

if ! systemctl restart "$NGINX_SERVICE"; then
    echo "ERROR: Failed to restart $NGINX_SERVICE"
    exit 1
fi
EOF

The above commands will create the script to add the HSTS header. Once done, you can execute the script manually to test it.

/etc/hestiacp/hooks/post_install.sh
grep -A3 ssl_certificate_key /usr/local/hestia/nginx/conf/nginx.conf

erador · June 2, 2026, 4:39pm

Thanks Man, that’s just the ticket!