Enable HTTP Strict Transport Security on Debian / Ubuntu

By | 2011/09/17

HSTS or just STS can be enabled with Apache fairly easily. I’ll show you how!

Enabling HSTS enforces a policy that all content from your server to the end user’s web browser will be over HTTPS. This can protect against interceptions, https stripping, and other possible man-in-the-middle attacks.

First, enable mod_headers:

$ sudo a2enmod headers

Next, add the following line to your desired apache virtualhost config file:

<VirtualHost *:443>
Header always set Strict-Transport-Security "max-age=31536000"

max-age of 31536000 seconds (or 12 months) can be adjusted as desired.

And finally, restart apache:

$ sudo /etc/init.d/apache2 restart

You can use a test such as Qualys SSL Server Test to verify Strict Transport Security is enabled.


2 thoughts on “Enable HTTP Strict Transport Security on Debian / Ubuntu

  1. Jeremy Visser

    A max-age should be much higher than 12 hours. What you suggested above almost completely defeats the purpose of using the header in the first place!

    The purpose of the header is to protect visitors when they visit your site in the future. I don’t know about you, but I visit my bank’s website maybe once a week if I’m lucky — up to much longer, even a month or two.

    I would suggest setting max-age to at least 1 month (2628000 seconds), but preferably 1 year (31540000 seconds).


Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.