HTTP Strict Transport Security with Apache

HTTP Strict Transport Security (HSTS) is a web security policy which helps to protect websites against protocol downgrade attacks by allowing web servers to declare that web browsers should only connect via secure HTTPS connections. The HSTS Policy for the site is communicated by the server to the browser via a HTTPS response header field named “Strict-Transport-Security” which sets the period of time the site should only be accessed via HTTPS.

Whilst this header can not protect the first HTTPS connection to the server, it does ensure all future connections made before the expiry are over HTTPS. Each valid response also resets the time period.

If your looking to enable HSTS on Apache this should help:

First setup your site, eg:

/etc/apache2/sites-enabled/default-ssl.conf

ServerAdmin webmaster@example.com
ServerName www.example.com
ServerAlias example.com www.example.com

Then configure SSL/TLS and the Strict-Transport-Security header, this wI’ll need to include you’re desired time in seconds:

Header always set Strict-Transport-Security "max-age=31536000; preload"

SSLCertificateFile /etc/ssl/certs/example.crt
SSLCertificateKeyFile /etc/ssl/private/example.key
SSLCACertificateFile /etc/ssl/certs/example-ca.crt

Lastly we will need to enable the headers module, and restart apache.

root@server:~# a2enmod headers
Enabling module headers.
To activate the new configuration, you need to run:
  service apache2 restart
root@server:~# service apache2 restart
 * Restarting web server apache2                                                                                                         OK
root@server:/etc/ssl/certs# 

You will likely need to adjust the above for your needs, however on a clean server this would get you up and running.

Hope this helps!

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply

Your email address will not be published. Required fields are marked *