HSTS or HTTP Strict Transport Security provides an extra layer of security for HTTPS (SSL / TLS) traffic by preventing HTTPS connections from being downgraded to HTTP, which is not encrypted.
You can enable HSTS for Apache by enabling the headers module and adding the related Strict-Transport-Security option in Apache's configuration file.
$ sudo a2enmod headers #Ubuntu, Debian and SUSE variants Enabling module headers. To activate the new configuration, you need to run: systemctl restart apache2
Options | Debian, Ubuntu | openSUSE and SLES | Fedora Core, CentOS, RHEL | macOS | homebrew | xampp |
---|---|---|---|---|---|---|
a2enmod support | yes | yes | no | no | no | no |
Modules to install | none | |||||
Module name | n/a | headers | ||||
Loadmodule directive | n/a | LoadModule headers_module <module_locations>/mod_headers.so |
<VirtualHost *:443> # ..... # .... Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains" </VirtualHost>
$ sudo systemctl restart apache2 #Ubuntu and Debian $ sudo systemctl restart httpd # CentOS and Red Hat
Related: How to manage Apache service
$ curl --head https://www.facebook.com HTTP/2 200 set-cookie: fr=1kSvv492E5q1inyhV..BeSNo2.VF.AAA.0.0.BeSNo2.AWXv6Ptp; expires=Sat, 16-May-2020 05:59:17 GMT; Max-Age=7775999; path=/; domain=.facebook.com; secure; httponly set-cookie: sb=NtpIXuU2eriH34nD6VfGz_em; expires=Tue, 15-Feb-2022 05:59:18 GMT; Max-Age=63072000; path=/; domain=.facebook.com; secure; httponly cache-control: private, no-cache, no-store, must-revalidate pragma: no-cache strict-transport-security: max-age=15552000; preload vary: Accept-Encoding x-content-type-options: nosniff x-frame-options: DENY x-xss-protection: 0 expires: Sat, 01 Jan 2000 00:00:00 GMT content-type: text/html; charset="utf-8" x-fb-debug: vMujBKiilKcPMV/+nHPJ1hc1edb5y08fSxdhwLel5lsiXHrqfWR9JNW1FX9y7lFivSJF+rhA6HOM77cSFuODaw== date: Sun, 16 Feb 2020 05:59:18 GMT alt-svc: h3-24=":443"; ma=3600 date: Sun, 16 Feb 2020 05:59:18 GMT
Comment anonymously. Login not required.