HSTS - Enhances the security of website's visitors by prohibiting web browsers from accessing the website via insecure HTTP connections. If visitors are unable to connect via HTTPS, your website will become unavailable.
OCSP Stapling - Enhances the privacy of website's visitors and improves the website performance. The web server will request the status of the website's certificate (can be good, revoked, or unknown) from the CA instead of the visitor's browser doing so.
DracoBlue HSTS
You can always set HSTS using htaccess / nginx config
For HSTS you can add the line in .htaccess Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
For OCSP Stapling, I have never heard of this before. I found steps here https://www.ssldragon.com/blog/ocsp-stapling/#enable-ocsp-stapling
Andreas Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Be very careful using preload and make sure you know what it means and that you are aware of the potential problems before you do. I'd also recommend starting with a lower max-age and testing before putting a long one.
John-P Thanks for the feedback. I will look into this more. Do you have any recommendations or suggestions on this?
Andreas I found the helpful resource guide from:- https://certera.com/blog/what-is-ocsp-stapling-or-ssl-stapling-a-detailed-guide/. As I was getting the error, so followed the steps. Maybe it will be helpful.
What a rabbit hole I just went down with this and security headers.
this might be useful resource: https://cheapsslweb.com/resources/what-is-hsts-certificate
I just followed this steps and I got relief from this hsts issue!
Perhaps they could also add an option to include the ca_bundle if they are using custom certificates.
i assume most websites on enhance panels are using free letsencrypt certificates.
just so everyone's aware, letscencrypt has ended support for ocsp.
nhybgtvfr
Yeah exactly this, Let's Encrypt stopped supporting OCSP Stapling late 2025.
Since Enhance issues Let's Encrypt certs, IMO OCSP Stapling shouldn't be enabled as a feature request.
Also users can request HSTS here https://hstspreload.org/ if they want their site added to the list. Need to be careful before doing that though as it can break the site if there's no SSL cert or it expires and isn't renewed.
+1 Yes -
