How to enable HTTP Strict Transport Security (HSTS) for Apache

Implementing HTTP Strict Transport Security (HSTS) ensures that browsers always use secure HTTPS connections when communicating with a server, mitigating risks of downgrade attacks or man-in-the-middle exploits.

By setting the Strict-Transport-Security header, the server instructs compatible browsers to enforce secure connections for a specified duration. This prevents potential exposure of sensitive data by automatically converting any HTTP attempt into an HTTPS request.

Deploying HSTS on an Apache server requires a valid SSL certificate and the addition of relevant header directives. Configuring these settings helps preserve data integrity and confidentiality by creating an environment where clients only interact with protected resources.

Steps to enable HSTS in Apache:

Ensure your website has a valid SSL certificate and can be accessed via HTTPS.
Launch terminal.

Enable headers module for Apache.

$ sudo a2enmod headers # Ubuntu, Debian and SUSE variants
Enabling module headers.
To activate the new configuration, you need to run:
  systemctl restart apache2

Distribution with a2enmod support can simply run the command above without having to manually enable the required modules.
CentOS and Red Hat enables the module by default so requires no manual action to enable the modules.

Options	Debian, Ubuntu	openSUSE and SLES	Fedora Core, CentOS, RHEL	macOS	homebrew	xampp
a2enmod support	yes	yes	no	no	no	no
Modules to install	none
Module name	n/a			headers
Loadmodule directive	n/a			LoadModule headers_module <module_locations>/mod_headers.so

Open the configuration file for your Apache website using your preferred text editor.
```
$ sudo vi /etc/apache2/sites-available/000-mysite.conf
```
Related: Location for Apache VirtualHost configuration
Add Strict-Transport-Security in the Header directive within your virtual server configuration.
```
<VirtualHost *:443>
        # .....
        # ....
        Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
</VirtualHost>
```
Related: Options for configuring HTTP headers in Apache

Ensure that the `max-age` parameter, which is the duration in seconds the browser should remember the HSTS policy, is appropriately set for your needs. The above setting will remember the policy for one year. Adjust as necessary.
Reload or restart the Apache service to apply the changes.
```
$ sudo systemctl restart apache2 # Ubuntu and Debian
$ sudo systemctl restart httpd # CentOS and Red Hat
```
Related: How to manage the Apache web server service

Verify that HSTS has been properly implemented by accessing your website over HTTPS and check the response headers.

$ curl --head https://www.facebook.com
HTTP/2 200
set-cookie: fr=1kSvv492E5q1inyhV..BeSNo2.VF.AAA.0.0.BeSNo2.AWXv6Ptp; expires=Sat, 16-May-2020 05:59:17 GMT; Max-Age=7775999; path=/; domain=.facebook.com; secure; httponly
set-cookie: sb=NtpIXuU2eriH34nD6VfGz_em; expires=Tue, 15-Feb-2022 05:59:18 GMT; Max-Age=63072000; path=/; domain=.facebook.com; secure; httponly
cache-control: private, no-cache, no-store, must-revalidate
pragma: no-cache
strict-transport-security: max-age=15552000; preload
vary: Accept-Encoding
x-content-type-options: nosniff
x-frame-options: DENY
x-xss-protection: 0
expires: Sat, 01 Jan 2000 00:00:00 GMT
content-type: text/html; charset="utf-8"
x-fb-debug: vMujBKiilKcPMV/+nHPJ1hc1edb5y08fSxdhwLel5lsiXHrqfWR9JNW1FX9y7lFivSJF+rhA6HOM77cSFuODaw==
date: Sun, 16 Feb 2020 05:59:18 GMT
alt-svc: h3-24=":443"; ma=3600
date: Sun, 16 Feb 2020 05:59:18 GMT

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.

Discuss the article:

Comment anonymously. Login not required.