How to enable HSTS on Apache

0 comments 8.7K views 2 minutes read
Published on: August 13, 2022 | Last updated on: October 11, 2024

In this article, we will demonstrate how to enable HSTS in Apache.

To protect HTTPS websites from downgrade attacks, they can implement a web security policy mechanism called HTTP Strict Transport Security (HSTS). Your browser will not be able to view the site via a connection type other than HTTPS if HSTS is enabled.

Some websites continue to have pages that only serve HTTP requests even after SSL has been installed. Therefore, in order to avoid the use of the HTTP protocol, With the introduction of the HSTS header, websites are compelled to switch from the insecure HTTP protocol to the more secure HTTPS protocol.

Let’s Encrypt certificates are strongly suggested if your website still uses HTTP without SSL, as they have aided the widespread transition to HTTPS (almost a solid 25 percent as of today). In addition, Google and other search engines give SSL-enabled sites a higher ranking than those without encryption.

If your Apache-hosted website is already HTTPS-secure, enabling HSTS will be a breeze.

Requirements

This guide assumes:

  • You have a working Apache installation
  • You have a working site
  • You have a working SSL cert
  • You are on Linux

Enabling HSTS headers

the headers module must be added to the configuration file (/etc/apache2/httpd.conf):

LoadModule headers_module modules/mod_headers.so

Configure each site’s headers to enable HSTS on Apache

Configure the header settings for each SSL-using website; the configuration file is often located in /etc/apache2/sites-enabled/.

The configuration file has to have the following line added to it in order to have the Strict-Transport-Security header settings specified for a period of time spanning two years:

<VirtualHost *:443>
...
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
...
</VirtualHost>

Including the includeSubdomains parameter in a URL instructs the browser to load all of the subdomains for that domain. If you disable this setting, only secure connections to the current domain will be allowed. Yet doing so is strongly discouraged.

When the Apache configuration is reloaded, this header will be shown to all users with an expirationtime of 63072000 seconds (2 years). Be sure to apply this setting to the HTTPS (:443) vhost and not the HTTP (:80) one.