HTTP Strict Transport Security (HSTS) is a web security policy that enforces web browsers and other user agents to interact with websites solely over HTTPS. By ensuring connections are always made securely, HSTS minimizes the risk of man-in-the-middle attacks and cookie hijacking.
Modern browsers have built-in support for HSTS, which makes websites more resistant against protocol downgrade attacks and cookie hijacking. When a website has been loaded over HTTPS and returns the Strict-Transport-Security header, the browser will remember to access that site using only secure connections for a specified time.
Implementing HSTS for your website running on an Apache server can be achieved with a response header change by just a simple configuration. This enhancement ensures that users always access your site over an encrypted connection, even if they mistakenly type http:// instead of https://.
$ sudo a2enmod headers # Ubuntu, Debian and SUSE variants Enabling module headers. To activate the new configuration, you need to run: systemctl restart apache2
Options | Debian, Ubuntu | openSUSE and SLES | Fedora Core, CentOS, RHEL | macOS | homebrew | xampp |
---|---|---|---|---|---|---|
a2enmod support | yes | yes | no | no | no | no |
Modules to install | none | |||||
Module name | n/a | headers | ||||
Loadmodule directive | n/a | LoadModule headers_module <module_locations>/mod_headers.so |
$ sudo vi /etc/apache2/sites-available/000-mysite.conf
<VirtualHost *:443> # ..... # .... Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" </VirtualHost>
Ensure that the `max-age` parameter, which is the duration in seconds the browser should remember the HSTS policy, is appropriately set for your needs. The above setting will remember the policy for one year. Adjust as necessary.
$ sudo systemctl restart apache2 # Ubuntu and Debian $ sudo systemctl restart httpd # CentOS and Red Hat
$ curl --head https://www.facebook.com HTTP/2 200 set-cookie: fr=1kSvv492E5q1inyhV..BeSNo2.VF.AAA.0.0.BeSNo2.AWXv6Ptp; expires=Sat, 16-May-2020 05:59:17 GMT; Max-Age=7775999; path=/; domain=.facebook.com; secure; httponly set-cookie: sb=NtpIXuU2eriH34nD6VfGz_em; expires=Tue, 15-Feb-2022 05:59:18 GMT; Max-Age=63072000; path=/; domain=.facebook.com; secure; httponly cache-control: private, no-cache, no-store, must-revalidate pragma: no-cache strict-transport-security: max-age=15552000; preload vary: Accept-Encoding x-content-type-options: nosniff x-frame-options: DENY x-xss-protection: 0 expires: Sat, 01 Jan 2000 00:00:00 GMT content-type: text/html; charset="utf-8" x-fb-debug: vMujBKiilKcPMV/+nHPJ1hc1edb5y08fSxdhwLel5lsiXHrqfWR9JNW1FX9y7lFivSJF+rhA6HOM77cSFuODaw== date: Sun, 16 Feb 2020 05:59:18 GMT alt-svc: h3-24=":443"; ma=3600 date: Sun, 16 Feb 2020 05:59:18 GMT
Comment anonymously. Login not required.