disable http strict transport security policy

How to Disable HTTP Strict Transport Policy in Apache

HTTP Strict Transport Security Policy (HSTS) protects your websites from malicious attacks such as man-in-the-middle attacks, clickjacking and protocol downgrades. It allows servers to specify that browsers and other compliant clients must only request HTTPS/SSL URLs directly. However, if you do not want HSTS on your site, then here are the steps to disable HTTP Strict Transport Security Policy in Apache server.


How to Disable HTTP Strict Transport Policy in Apache

Here are the steps to disable HSTS in Apache.


1. Open configuration file

Open virtual host configuration file for your website at /etc/apache2/sites-available. If you have not created a virtual host file, open the default virtual host configuration file in a text editor.

$ sudo vi /etc/apache2/sites-available/000-default.conf

Also read : How to Create Virtual Host on WAMP


2. Disable HSTS in Apache

Look for the following line

Header always set Strict-Transport-Security ...

If you find it, then remove it or comment it by adding # at its beginning.

If you are unable to find this line, run the following command to find the files where the above header is present.

$ sudo grep -nr "Strict-Transport-Security" /etc/apache2/sites-available

The output will list all files in /etc/apache2/sites-available that contain the above header directive.

If you still cannot find it, then look into the server configuration file at any of the following locations, depending on your installation:

  • /etc/apache2/httpd.conf
  • /etc/apache2/apache2.conf
  • /etc/httpd/httpd.conf
  • /etc/httpd/conf/httpd.conf

Since HSTS is disabled by default in Apache, it cannot have been enabled unless someone explicitly did so using server configuration file or virtual configuration file.

So it is important to find the right file where HSTS is enabled and disable it.

Also read : How Does RewriteBase Work in Apache


3. Restart Apache Server

Restart Apache server to apply changes.

$ sudo service apache2 restart

That’s it. You can use an online tool like Qualsys SSL Labs to check if HSTS is disabled properly on your website.

Also read : How to Enable HTTP Strict Transport Security Policy


Leave a Reply

Your email address will not be published.