How to enable HSTS for Apache

HSTS or HTTP Strict Transport Security provides an extra layer of security for HTTPS (SSL / TLS) traffic by preventing HTTPS connections from being downgraded to HTTP, which is not encrypted.

You can enable HSTS for Apache by enabling the headers module and adding the related Strict-Transport-Security option in Apache's configuration file.

Steps to enable HSTS in Apache:

Launch terminal application.

Enable headers module for Apache.

$ sudo a2enmod headers #Ubuntu, Debian and SUSE variants
Enabling module headers.
To activate the new configuration, you need to run:
  systemctl restart apache2

Distribution with a2enmod support can simply run the command above without having to manually enable the required modules.
CentOS and Red Hat enables the module by default so requires no manual action to enable the modules.

Options	Debian, Ubuntu	openSUSE and SLES	Fedora Core, CentOS, RHEL	macOS	homebrew	xampp
a2enmod support	yes	yes	no	no	no	no
Modules to install	none
Module name	n/a			headers
Loadmodule directive	n/a			LoadModule headers_module <module_locations>/mod_headers.so

Add relevant Header directive in virtual server configuration.
```
<VirtualHost *:443>
        # .....
        # ....
        Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</VirtualHost>
```
Related: Location for Apache VirtualHost configuration

Related: Options for configuring HTTP headers in Apache

Restart Apache service for the changes to take effect.

$ sudo systemctl restart apache2 #Ubuntu and Debian
$ sudo systemctl restart httpd # CentOS and Red Hat

Related: How to manage Apache service

Test by accessing the service using curl.

$ curl --head https://www.facebook.com
HTTP/2 200
set-cookie: fr=1kSvv492E5q1inyhV..BeSNo2.VF.AAA.0.0.BeSNo2.AWXv6Ptp; expires=Sat, 16-May-2020 05:59:17 GMT; Max-Age=7775999; path=/; domain=.facebook.com; secure; httponly
set-cookie: sb=NtpIXuU2eriH34nD6VfGz_em; expires=Tue, 15-Feb-2022 05:59:18 GMT; Max-Age=63072000; path=/; domain=.facebook.com; secure; httponly
cache-control: private, no-cache, no-store, must-revalidate
pragma: no-cache
strict-transport-security: max-age=15552000; preload
vary: Accept-Encoding
x-content-type-options: nosniff
x-frame-options: DENY
x-xss-protection: 0
expires: Sat, 01 Jan 2000 00:00:00 GMT
content-type: text/html; charset="utf-8"
x-fb-debug: vMujBKiilKcPMV/+nHPJ1hc1edb5y08fSxdhwLel5lsiXHrqfWR9JNW1FX9y7lFivSJF+rhA6HOM77cSFuODaw==
date: Sun, 16 Feb 2020 05:59:18 GMT
alt-svc: h3-24=":443"; ma=3600
date: Sun, 16 Feb 2020 05:59:18 GMT

Author: Mohd Shakir Zakaria
Cloud architect by profession but always consider himself as a developer, entrepreneur and an opensource enthusiast.

Discuss the article:

Comment anonymously. Login not required.