HTTP Strict Transport Security (HSTS) is a web security feature that forces browsers to interact with websites only over HTTPS. This prevents potential attacks by ensuring that all communications between the browser and the server are secure.

When a website is configured with HSTS, the browser will remember to access that site using only HTTPS. This is done through the Strict-Transport-Security header, which the server sends to the browser. Once set, the browser will enforce secure connections for a specified period.

To implement HSTS on an Apache server, you need to make a small configuration change. This ensures that all users connect to your website securely, even if they accidentally use HTTP. The steps below outline how to configure HSTS for your website on Apache.

Steps to enable HSTS in Apache:

  1. Ensure your website has a valid SSL certificate and can be accessed via HTTPS.
  2. Launch terminal.
  3. Enable headers module for Apache.
    $ sudo a2enmod headers # Ubuntu, Debian and SUSE variants
    Enabling module headers.
    To activate the new configuration, you need to run:
      systemctl restart apache2
    • Distribution with a2enmod support can simply run the command above without having to manually enable the required modules.
    • CentOS and Red Hat enables the module by default so requires no manual action to enable the modules.
    Options Debian, Ubuntu openSUSE and SLES Fedora Core, CentOS, RHEL macOS homebrew xampp
    a2enmod support yes yes no no no no
    Modules to install none
    Module name n/a headers
    Loadmodule directive n/a LoadModule headers_module <module_locations>/mod_headers.so
  4. Open the configuration file for your Apache website using your preferred text editor.
    $ sudo vi /etc/apache2/sites-available/000-mysite.conf
  5. Add Strict-Transport-Security in the Header directive within your virtual server configuration.
    <VirtualHost *:443>
            # .....
            # ....
            Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    </VirtualHost>

    Ensure that the `max-age` parameter, which is the duration in seconds the browser should remember the HSTS policy, is appropriately set for your needs. The above setting will remember the policy for one year. Adjust as necessary.

  6. Reload or restart the Apache service to apply the changes.
    $ sudo systemctl restart apache2 # Ubuntu and Debian
    $ sudo systemctl restart httpd # CentOS and Red Hat
  7. Verify that HSTS has been properly implemented by accessing your website over HTTPS and check the response headers.
    $ curl --head https://www.facebook.com
    HTTP/2 200
    set-cookie: fr=1kSvv492E5q1inyhV..BeSNo2.VF.AAA.0.0.BeSNo2.AWXv6Ptp; expires=Sat, 16-May-2020 05:59:17 GMT; Max-Age=7775999; path=/; domain=.facebook.com; secure; httponly
    set-cookie: sb=NtpIXuU2eriH34nD6VfGz_em; expires=Tue, 15-Feb-2022 05:59:18 GMT; Max-Age=63072000; path=/; domain=.facebook.com; secure; httponly
    cache-control: private, no-cache, no-store, must-revalidate
    pragma: no-cache
    strict-transport-security: max-age=15552000; preload
    vary: Accept-Encoding
    x-content-type-options: nosniff
    x-frame-options: DENY
    x-xss-protection: 0
    expires: Sat, 01 Jan 2000 00:00:00 GMT
    content-type: text/html; charset="utf-8"
    x-fb-debug: vMujBKiilKcPMV/+nHPJ1hc1edb5y08fSxdhwLel5lsiXHrqfWR9JNW1FX9y7lFivSJF+rhA6HOM77cSFuODaw==
    date: Sun, 16 Feb 2020 05:59:18 GMT
    alt-svc: h3-24=":443"; ma=3600
    date: Sun, 16 Feb 2020 05:59:18 GMT
Discuss the article:

Comment anonymously. Login not required.