HTTP Strict Transport Security (HSTS) is a web security policy that enforces web browsers and other user agents to interact with websites solely over HTTPS. By ensuring connections are always made securely, HSTS minimizes the risk of man-in-the-middle attacks and cookie hijacking.

Modern browsers have built-in support for HSTS, which makes websites more resistant against protocol downgrade attacks and cookie hijacking. When a website has been loaded over HTTPS and returns the Strict-Transport-Security header, the browser will remember to access that site using only secure connections for a specified time.

Implementing HSTS for your website running on an Apache server can be achieved with a response header change by just a simple configuration. This enhancement ensures that users always access your site over an encrypted connection, even if they mistakenly type http:// instead of https://.

Steps to enable HSTS in Apache:

  1. Ensure your website has a valid SSL certificate and can be accessed via HTTPS.
  2. Launch terminal.
  3. Enable headers module for Apache.

    $ sudo a2enmod headers # Ubuntu, Debian and SUSE variants
    Enabling module headers.
    To activate the new configuration, you need to run:
      systemctl restart apache2
    • Distribution with a2enmod support can simply run the command above without having to manually enable the required modules.
    • CentOS and Red Hat enables the module by default so requires no manual action to enable the modules.
    Options Debian, Ubuntu openSUSE and SLES Fedora Core, CentOS, RHEL macOS homebrew xampp
    a2enmod support yes yes no no no no
    Modules to install none
    Module name n/a headers
    Loadmodule directive n/a LoadModule headers_module <module_locations>/mod_headers.so
  4. Open the configuration file for your Apache website using your preferred text editor.

    $ sudo vi /etc/apache2/sites-available/000-mysite.conf
  5. Add Strict-Transport-Security in the Header directive within your virtual server configuration.

    <VirtualHost *:443>
            # .....
            # ....
            Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    </VirtualHost>

    Ensure that the `max-age` parameter, which is the duration in seconds the browser should remember the HSTS policy, is appropriately set for your needs. The above setting will remember the policy for one year. Adjust as necessary.

  6. Reload or restart the Apache service to apply the changes.

    $ sudo systemctl restart apache2 # Ubuntu and Debian
    $ sudo systemctl restart httpd # CentOS and Red Hat
  7. Verify that HSTS has been properly implemented by accessing your website over HTTPS and check the response headers.

    $ curl --head https://www.facebook.com
    HTTP/2 200
    set-cookie: fr=1kSvv492E5q1inyhV..BeSNo2.VF.AAA.0.0.BeSNo2.AWXv6Ptp; expires=Sat, 16-May-2020 05:59:17 GMT; Max-Age=7775999; path=/; domain=.facebook.com; secure; httponly
    set-cookie: sb=NtpIXuU2eriH34nD6VfGz_em; expires=Tue, 15-Feb-2022 05:59:18 GMT; Max-Age=63072000; path=/; domain=.facebook.com; secure; httponly
    cache-control: private, no-cache, no-store, must-revalidate
    pragma: no-cache
    strict-transport-security: max-age=15552000; preload
    vary: Accept-Encoding
    x-content-type-options: nosniff
    x-frame-options: DENY
    x-xss-protection: 0
    expires: Sat, 01 Jan 2000 00:00:00 GMT
    content-type: text/html; charset="utf-8"
    x-fb-debug: vMujBKiilKcPMV/+nHPJ1hc1edb5y08fSxdhwLel5lsiXHrqfWR9JNW1FX9y7lFivSJF+rhA6HOM77cSFuODaw==
    date: Sun, 16 Feb 2020 05:59:18 GMT
    alt-svc: h3-24=":443"; ma=3600
    date: Sun, 16 Feb 2020 05:59:18 GMT