HTTP Strict Transport Security Policy (HSTS) protects your websites from malicious attacks such as man-in-the-middle attacks, clickjacking and protocol downgrades. It allows servers to specify that browsers and other compliant clients must only request HTTPS/SSL URLs directly. However, if you do not want HSTS on your site, then here are the steps to disable HTTP Strict Transport Security Policy in Apache server.
How to Disable HTTP Strict Transport Policy in Apache
Here are the steps to disable HSTS in Apache.
1. Open configuration file
Open virtual host configuration file for your website at /etc/apache2/sites-available. If you have not created a virtual host file, open the default virtual host configuration file in a text editor.
$ sudo vi /etc/apache2/sites-available/000-default.conf
Also read : How to Create Virtual Host on WAMP
2. Disable HSTS in Apache
Look for the following line
Header always set Strict-Transport-Security ...
If you find it, then remove it or comment it by adding # at its beginning.
If you are unable to find this line, run the following command to find the files where the above header is present.
$ sudo grep -nr "Strict-Transport-Security" /etc/apache2/sites-available
The output will list all files in /etc/apache2/sites-available that contain the above header directive.
If you still cannot find it, then look into the server configuration file at any of the following locations, depending on your installation:
Since HSTS is disabled by default in Apache, it cannot have been enabled unless someone explicitly did so using server configuration file or virtual configuration file.
So it is important to find the right file where HSTS is enabled and disable it.
Also read : How Does RewriteBase Work in Apache
3. Restart Apache Server
Restart Apache server to apply changes.
$ sudo service apache2 restart
That’s it. You can use an online tool like Qualsys SSL Labs to check if HSTS is disabled properly on your website.