How To Configure Http Strict Transport Security Hsts With Apache

If you’re using HTTPS or going to be using it on your websites, then HSTS is something you might want to configure as well. HTTP Strict Transport Security (HSTS) is a security policy that helps protect against downgrade attacks and cookies hijacking. When configured, your web server enforces strict HTTPS connection for web browsers and never via the insecure HTTP protocol. To enhance connections to your Apache web server make sure that HSTS is also enabled to help protect against a man-in-the-middle attack. Since newer web browsers are all HSTS enabled, this should work across most systems. When a web browser contacts an HSTS-enabled server, the browser by default looks for a special HTTP header related to HSTS. If the special header is enabled, the web server instructs the browser to only communicate over HTTPS.  When the web browser receives the instruction from the header, the next connection after that will always be HTTPS and never HTTP. This always insures that the connection between the web server and web browser is also protected.

How to enable the Apache headers module

To use HSTS with Apache, you’ll want to enable the Apache headers module. To do that, run the command below:

How to enable HSTS with Apache

After enabling the headers module for Apache, look at the VirtualHost file for your website and add the line below. The line should be placed between the <VirtualHost *:443> and An example VirtualHost file with HSTS enabled should look similar to the one below. Because you enabled HTST in Apache, you’ll also want to redirect all connections over HTTPS. To do that, open the Apache default SSL configuration file. The default SSL file on the Ubuntu system is at /etc/apache2/sites-enabled/000-default-ssl.conf Redirect all traffic on HTTP to HTTPS. This is a must if you want HSTS to function correctly with Apache. Open the Apache default SSL configuration file, then add the block of code in that config file and save. Add the highlighted lines and save. Once you’re done, restart Apache. That should do it! Conclusion: This post showed you how to enable HSTS with Apache in Ubuntu. If you find any error above or have something to add, please use the comment form below.