HSTS or just STS can be enabled with Apache fairly easily. I’ll show you how!
Enabling HSTS enforces a policy that all content from your server to the end user’s web browser will be over HTTPS. This can protect against interceptions, https stripping, and other possible man-in-the-middle attacks.
First, enable mod_headers:
$ sudo a2enmod headers
Next, add the following line to your desired apache virtual host config file, or if desired to
/etc/apache2/sites-available/default-ssl
Header always set Strict-Transport-Security "max-age=43200; includeSubDomains"
max-age of 43200 seconds (or 12 hours) can be adjusted as desired.
And finally, restart apache:
$ sudo /etc/init.d/apache2 restart
You can use a test such as Qualys SSL Server Test to verify Strict Transport Security is enabled.
Done!
No related posts.
