Enable HTTP Strict Transport Security on Debian / Ubuntu

By | 2011/09/17

HSTS or just STS can be enabled with Apache fairly easily. I’ll show you how!

Enabling HSTS enforces a policy that all content from your server to the end user’s web browser will be over HTTPS. This can protect against interceptions, https stripping, and other possible man-in-the-middle attacks.


First, enable mod_headers:

$ sudo a2enmod headers

Next, add the following line to your desired apache virtualhost config file:

<VirtualHost *:443>
Header always set Strict-Transport-Security "max-age=31536000"
...

max-age of 31536000 seconds (or 12 months) can be adjusted as desired.

And finally, restart apache:

$ sudo /etc/init.d/apache2 restart

You can use a test such as Qualys SSL Server Test to verify Strict Transport Security is enabled.

Done!