HTTP Strict Transport Security (HSTS) is a web security policy which helps to protect websites against protocol downgrade attacks by allowing web servers to declare that web browsers should only connect via secure HTTPS connections. The HSTS Policy for the site is communicated by the server to the browser via a HTTPS response header field named “Strict-Transport-Security” which sets the period of time the site should only be accessed via HTTPS.
Whilst this header can not protect the first HTTPS connection to the server, it does ensure all future connections made before the expiry are over HTTPS. Each valid response also resets the time period.
If your looking to enable HSTS on Apache this should help:
First setup your site, eg:
/etc/apache2/sites-enabled/default-ssl.conf
ServerAdmin webmaster@example.com ServerName www.example.com ServerAlias example.com www.example.com
Then configure SSL/TLS and the Strict-Transport-Security header, this wI’ll need to include you’re desired time in seconds:
Header always set Strict-Transport-Security "max-age=31536000; preload" SSLCertificateFile /etc/ssl/certs/example.crt SSLCertificateKeyFile /etc/ssl/private/example.key SSLCACertificateFile /etc/ssl/certs/example-ca.crt
Lastly we will need to enable the headers module, and restart apache.
root@server:~# a2enmod headers Enabling module headers. To activate the new configuration, you need to run: service apache2 restart root@server:~# service apache2 restart * Restarting web server apache2 OK root@server:/etc/ssl/certs#
You will likely need to adjust the above for your needs, however on a clean server this would get you up and running.
Hope this helps!
