HSTS or HTTP Strict Transport Security provides an extra layer of security for HTTPS (SSL / TLS) traffic by preventing the connection to be downgraded to HTTP, which is not encrypted.

HSTS can be enabled in Apache by enabling the headers module with some specific configurations.

Steps to enable HSTS on Apache:

  1. Launch terminal application.
  2. Enable headers module for Apache. 
    $ sudo a2enmod headers # Ubuntu and Debian
[sudo] password for user:
Enabling module headers.
To activate the new configuration, you need to run:
  systemctl restart apache2

    How to enable or disable Apache modules

  3. Add relevant Header directive in virtual server configuration. 
    <VirtualHost *:443>
        # .....
        # ....
        Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</VirtualHost>

    Apache configuration files

    Options for configuring HTTP headers in Apache

  4. Restart Apache service for the changes to take effect. 
    $ sudo systemctl restart apache2 # Ubuntu and Debian
$ sudo systemctl restart httpd # CentOS and Red Hat

    How to start, restart and stop Apache service

  5. Test by accessing the service using curl. 
    $ curl --head https://www.facebook.com
HTTP/2 200
set-cookie: fr=1kSvv492E5q1inyhV..BeSNo2.VF.AAA.0.0.BeSNo2.AWXv6Ptp; expires=Sat, 16-May-2020 05:59:17 GMT; Max-Age=7775999; path=/; domain=.facebook.com; secure; httponly
set-cookie: sb=NtpIXuU2eriH34nD6VfGz_em; expires=Tue, 15-Feb-2022 05:59:18 GMT; Max-Age=63072000; path=/; domain=.facebook.com; secure; httponly
cache-control: private, no-cache, no-store, must-revalidate
pragma: no-cache
strict-transport-security: max-age=15552000; preload
vary: Accept-Encoding
x-content-type-options: nosniff
x-frame-options: DENY
x-xss-protection: 0
expires: Sat, 01 Jan 2000 00:00:00 GMT
content-type: text/html; charset="utf-8"
x-fb-debug: vMujBKiilKcPMV/+nHPJ1hc1edb5y08fSxdhwLel5lsiXHrqfWR9JNW1FX9y7lFivSJF+rhA6HOM77cSFuODaw==
date: Sun, 16 Feb 2020 05:59:18 GMT
alt-svc: h3-24=":443"; ma=3600
date: Sun, 16 Feb 2020 05:59:18 GMT

Guide compatibility:

Operating System
Ubuntu 16.04 LTS (Xenial Xerus)
Ubuntu 16.10 (Yakkety Yak)
Ubuntu 17.04 (Zesty Zapus)
Ubuntu 17.10 (Artful Aardvark)
Ubuntu 18.04 LTS (Bionic Beaver)
Ubuntu 18.10 (Cosmic Cuttlefish)
Ubuntu 19.04 (Disco Dingo)
Discuss the article:

Comment anonymously. Login not required.

author: shakir
Share!