enable http strict transport security policy in apache

How to Enable HTTP Strict Transport Policy in Apache

HTTP Strict Transport Security Policy (HSTS) protects your website from malicious attacks like man-in-the-middle attack, protocol downgrade attack and cookie hijacking. It allows servers to specify that they use only HTTPS protocol for requests and web browsers should send only HTTPS requests. However, HSTS is disabled by default in Apache server. In this article, we will look at how to enable HTTP Strict Transport Policy in Apache server.


How to Enable HTTP Strict Transport Policy in Apache

Here are the steps to enable HSTS in Apache server.


1. Enable mod_headers

We will be setting a request header in Apache server using mod_headers module. Depending on your Linux system, run the following commands to enable mod_headers

Ubuntu/Debian

Open terminal and run the following command to enable mod_headers

$ sudo a2enmod headers


Redhat/CentOS/Fedora

Open terminal and run the following command to open Apache configuration file. It is located at any of the following locations depending on your installation.

  • /etc/apache2/httpd.conf
  • /etc/apache2/apache2.conf
  • /etc/httpd/httpd.conf
  • /etc/httpd/conf/httpd.conf
$ sudo vi /etc/apache2/httpd.conf

Uncomment the following line by removing # at its beginning.

#LoadModule headers_module modules/mod_headers.so

Also read : How does RewriteBase work


2. Enable HTTP Strict Transport Security (HSTS)

Open the virtual host configuration file for your website located at /etc/apache2/sites-available. If you have not created a virtual host configuration for your website, then open the default one.

$ sudo vi /etc/apache2/sites-available/000-default.conf

Look for <VirtualHost *:443> block that listens to port 443.

Add the following line in the tag.

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Let us look at the above line in detail.

  • max-age – the amount of time browsers must enforce HSTS headers. We have specified it as 1 year
  • includeSubDomains – Apply HSTS for subdomains also

So your VirtualHost tag will look like

<VirtualHost *:443>
...
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
...
</VirtualHost>

Please note, you need to add the Header directive to virtual host listening to port 443 (SSL/HTTPS) only.

Also read : How to Change Log Level in Apache Server


3. Restart Apache Server

Restart Apache Server to apply changes

$ sudo service apache2 restart

That’s it. Now your website will enforce HTTP Strict Protocol Security policy on web browsers. You can use an online tool like Qualsys SSL Labs to check if HSTS is working properly on your website.

Also read : How to Change Apache Log Location


Leave a Reply

Your email address will not be published.