Objective
HTTP Strict Transport Security (HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP. This tutorial describes how to set up HSTS in Apache.
HSTS addresses the following threats:
- User bookmarks or manually types http://example.com and is subject to a man-in-the-middle attacker
- HSTS automatically redirects HTTP requests to HTTPS for the target domain
- Web application that is intended to be purely HTTPS inadvertently contains HTTP links or serves content over HTTP
- HSTS automatically redirects HTTP requests to HTTPS for the target domain
- A man-in-the-middle attacker attempts to intercept traffic from a
victim user using an invalid certificate and hopes the user will accept
the bad certificate
- HSTS does not allow a user to override the invalid certificate message
Solution
A minimum of Apache version 2.2.22 is needed to support HSTS.
Edit your Apache configuration file/etc/apache2/httpd.conf
and add the following to your VirtualHost. You have to set it on the HTTPS VirtualHost, and not in the HTTP VirtualHost .
# Load the headers module
LoadModule headers_module modules/mod_headers.so
<VirtualHost *:443>
# HSTS (31536000 seconds = 1 year)
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
</VirtualHost>
Once a web browser has been to the site once and received the header it will remember that the site should only be accessed over HTTPS for the duration of the max-age value. This value is reset every time the site is accessed.
To always redirect your visitors to the HTTPS version of your website, use the following configuration:
<VirtualHost *:80>
ServerName example.com
Redirect permanent / https://example.com/
</VirtualHost>
Reload Apache
[root@nowherelan]# systemctl reload httpd.service
Go to SSL Labs Test Site and test your site. The output will tell you if you have everything correct.
My System Configuration
- CentOS 7
- Apache 2.4