How to enable HTTP Strict Transport Security (HSTS) for Apache
HTTP Strict Transport Security (HSTS) is a web security policy that enforces web browsers and other user agents to interact with websites solely over HTTPS. By ensuring connections are always made securely, HSTS minimizes the risk of man-in-the-middle attacks and cookie hijacking.
Modern browsers have built-in support for HSTS, which makes websites more resistant against protocol downgrade attacks and cookie hijacking. When a website has been loaded over HTTPS and returns the Strict-Transport-Security header, the browser will remember to access that site using only secure connections for a specified time.
Implementing HSTS for your website running on an Apache server can be achieved with a response header change by just a simple configuration. This enhancement ensures that users always access your site over an encrypted connection, even if they mistakenly type http:// instead of https://.
Steps to enable HSTS in Apache:
- Ensure your website has a valid SSL certificate and can be accessed via HTTPS.
- Launch terminal.
- Enable headers module for Apache.
$ sudo a2enmod headers # Ubuntu, Debian and SUSE variants Enabling module headers. To activate the new configuration, you need to run: systemctl restart apache2
- Distribution with a2enmod support can simply run the command above without having to manually enable the required modules.
- CentOS and Red Hat enables the module by default so requires no manual action to enable the modules.
Options Debian, Ubuntu openSUSE and SLES Fedora Core, CentOS, RHEL macOS homebrew xampp a2enmod support yes yes no no no no Modules to install none Module name n/a headers Loadmodule directive n/a LoadModule headers_module <module_locations>/mod_headers.so - Open the configuration file for your Apache website using your preferred text editor.
$ sudo vi /etc/apache2/sites-available/000-mysite.conf
- Add Strict-Transport-Security in the Header directive within your virtual server configuration.
<VirtualHost *:443> # ..... # .... Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" </VirtualHost>Ensure that the `max-age` parameter, which is the duration in seconds the browser should remember the HSTS policy, is appropriately set for your needs. The above setting will remember the policy for one year. Adjust as necessary.
- Reload or restart the Apache service to apply the changes.
$ sudo systemctl restart apache2 # Ubuntu and Debian $ sudo systemctl restart httpd # CentOS and Red Hat
- Verify that HSTS has been properly implemented by accessing your website over HTTPS and check the response headers.
$ curl --head https://www.facebook.com HTTP/2 200 set-cookie: fr=1kSvv492E5q1inyhV..BeSNo2.VF.AAA.0.0.BeSNo2.AWXv6Ptp; expires=Sat, 16-May-2020 05:59:17 GMT; Max-Age=7775999; path=/; domain=.facebook.com; secure; httponly set-cookie: sb=NtpIXuU2eriH34nD6VfGz_em; expires=Tue, 15-Feb-2022 05:59:18 GMT; Max-Age=63072000; path=/; domain=.facebook.com; secure; httponly cache-control: private, no-cache, no-store, must-revalidate pragma: no-cache strict-transport-security: max-age=15552000; preload vary: Accept-Encoding x-content-type-options: nosniff x-frame-options: DENY x-xss-protection: 0 expires: Sat, 01 Jan 2000 00:00:00 GMT content-type: text/html; charset="utf-8" x-fb-debug: vMujBKiilKcPMV/+nHPJ1hc1edb5y08fSxdhwLel5lsiXHrqfWR9JNW1FX9y7lFivSJF+rhA6HOM77cSFuODaw== date: Sun, 16 Feb 2020 05:59:18 GMT alt-svc: h3-24=":443"; ma=3600 date: Sun, 16 Feb 2020 05:59:18 GMT
Mohd Shakir Zakaria is a skilled cloud architect with a background in development, entrepreneurship, and open-source advocacy. As the founder of Simplified Guide, he helps others understand the complexities of computing, making tech concepts accessible to all.
Comment anonymously. Login not required.