Configure HTTP Strict Transport Security (HSTS) on Apache2

This brief tutorial shows students and new users how to configure HTTP Strict Transport Security (HSTS) on Apache2.

If you’re using HTTPS or going to be using it on your websites, then HSTS is something you might want to configure as well.

HTTP Strict Transport Security (HSTS) is a security policy that help protect against downgrade attacks and cookies hijacking. When configured, your web server enforce strict HTTPS connection for web browsers and never via the insecure HTTP protocol.

So, if you’re using HTTPS protocol on your websites, then make sure that HSTS is also enabled on your server. This will help protect against man-in-the-middle attack.

This brief tutorial is going to show you how to enable HSTS on Apache2 web servers.

Before you can enable this feature on Apache2, you must be running at least version 2.2.22.  Version earlier than that won’t have the feature.

Since newer web browsers are all HSTS enabled, this should work across most systems. When a web browser contacts a HSTS enabled server, the browser by default looks for a special HTTP header related to HSTS.

If the special header is enabled, the web server instructs the browser to only communicate over HTTPS.  When the web browser receives the instruction from the header, the next connection after that will always be HTTPS and never HTTP.

This always insures that the connection between the web server and web browser is also protected.

Most Linux systems will have header module enabled for Apache2. However, my recent test with a Ubuntu system didn’t have the module enabled for Apache2.

Step 1 Enable Apache2 Headers Module

To enable Apache2 header module on Ubuntu systems, run the command below:

sudo a2enmod headers

Step 2: Enabling HSTS for Apache2

After enabling the headers module for Apache2, look at the VirtualHost file for your website and add the line below. The line should be placed between the <VirtualHost *:443> and </VirtualHost>

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

<VirtualHost *:443>
       # The ServerName directive sets the request scheme, hostname and port
       # the server uses to identify itself. This is used when creating
       # redirection URLs. In the context of virtual hosts, the ServerName
       # specifies what hostname must appear in the request's Host: header to
       # match this virtual host. For the default virtual host (this file) this
       # value is not decisive as it is used as a last resort host regardless.
       # However, you must set it for any further virtual host explicitly.

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"


The default SSL file on Ubuntu system is at /etc/apache2/sites-enabled/000-default-ssl.conf

When you add line above in the SSL file, browse to your default site configure file and make sure to add a redirect.

Redirect all traffic on HTTP to HTTPS. This is a must if you want HSTS to function correctly with Apache2.

<VirtulHost *:80>  
       RewriteEngine on
       RewriteCond %{SERVER_NAME} [OR]
       RewriteCond %{SERVER_NAME}
       RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]


Save the file and you’re done.

Restart Apache2 web server and you’re done.


You may also like this post:

1 Comment

  1. HTTP Strict Transport Security (HSTS) is an important setting that all HTTPS -only sites should use. After understanding the risks outlined in this page, and ensuring you set this up correctly there is no maintenance required for this security setting, so it’s a one off hit for a long term gain. As well as adding security, the reduction in the redirect improves performance, and finally also can help avoid mixed content alerts for resources accidentally served over HTTP on the same domain. We strongly recommend using, though the use of includeSubdomains and the preload list will take some more thought and may not be possible for all sites.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.