How To Set Up Hsts For Apache Web Server

Author - How to activate HSTS on apache server
Cristian
June 2nd, 2020
How to activate HSTS on apache server

How to activate HSTS on apache server

HSTS or HTTP Strict Transport Security is a web security policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. HSTS allows web servers to declare that web browsers should automatically interact with it using only HTTPS connections, which provide Transport Layer Security (TLS/SSL), unlike the insecure HTTP used alone.

What is HTTP Strict Transport Security?

Quoting the Mozilla Developer Network:

If a web site accepts a connection through HTTP and redirects to HTTPS, the user, in this case, may initially talk to the non-encrypted version of the site before being redirected, if, for example, the user types http://www.foo.com/ or even just foo.com.
This opens up the potential for a man-in-the-middle attack, where the redirect could be exploited to direct a user to a malicious site instead of the secure version of the original page.
The HTTP Strict Transport Security feature lets a web site inform the browser that it should never load the site using HTTP, and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.
To test the status of HSTS on my website I use https://hstspreload.org

I have checked the status of HSTS on my website: 

HSTS test failed

As you can see HSTS failed and I have a couple of technical issues to sort.

How to configure set it?

First step

Redirect HTTP-non-www to https-www and to do so I have to edit the vhost file (criscond.co.uk.conf) for my domain.

Adding these lines at the beginning of the file will fix the redirection but only for port 80.

<VirtualHost *:80>
ServerName criscond.co.uk
Redirect permanent / https://criscond.co.uk/
</VirtualHost>

Second step

Redirect https-non-www to https-www is doing in the same way plus a couple of bits in plus. I edited the vhost file but for SSL (criscond.co.uk.ssl.conf).

I have added the lines below at the beginning of the file

<VirtualHost *:443>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
ServerName criscond.co.uk
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/criscond.co.uk.cert
SSLCertificateKeyFile /etc/pki/tls/private/criscond.co.uk.key
SSLCertificateChainFile /etc/pki/tls/certs/criscond.co.uk.bundle
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
Redirect permanent / https://www.criscond.co.uk/
</VirtualHost>

The line "Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"" will activate HSTS for my domain name with the preload directive set. 

Restart the apache server and let's retest it.

HSTS test passed

As you can see we got green now. All set now.

How can I boost our security and SSL scores from A or B to A+?

Read more in the article How to improve the security score of your website.

Thank you!