HSTS - Setup

Return to Wiki Index

In Apache2, HSTS can be configured by modifying the SSL configuration files for your virtual host. You need to ensure that SSL is enabled for your site before proceeding with HSTS configuration.

To enable HSTS, you will add the `Strict-Transport-Security` header in the server configuration file, typically in the SSL-specific virtual host.

<VirtualHost *:443>
    ServerName example.com
    DocumentRoot /var/www/html

    # Ensure SSL is enabled
    SSLEngine on
    SSLCertificateFile /path/to/certificate.crt
    SSLCertificateKeyFile /path/to/private.key
    SSLCertificateChainFile /path/to/chainfile.pem

    # HSTS Header Configuration
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

    # Other directives for your website (e.g., Logging, Redirects, etc.)
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

Explanation of parameters:

• `max-age=31536000`: This sets the duration (in seconds) that the browser should remember the HSTS policy. In this case, it's set for 1 year.
• `includeSubDomains`: This directive applies HSTS to all subdomains of the specified domain.
• `preload`: This enables the domain to be included in the HSTS preload list maintained by browsers, ensuring the site always uses HTTPS, even on the first visit.

Once the changes are made, restart Apache to apply the configuration:

sudo systemctl restart apache2

You can verify your HSTS header by using tools like KeyCDN HTTP/2 Test or by inspecting the response headers via your browser's developer tools.

Configuring HSTS on Nginx is similar to Apache but requires modifying the Nginx configuration file for your site.

To set up HSTS in Nginx, you will add the `Strict-Transport-Security` header in your server block for HTTPS. Make sure that SSL is configured correctly before proceeding.

server {
    listen 443 ssl;
    server_name example.com;

    # SSL Configuration
    ssl_certificate /path/to/certificate.crt;
    ssl_certificate_key /path/to/private.key;
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  10m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384';

    # HSTS Header Configuration
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

    # Other server settings (e.g., Logging, Redirects, etc.)
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    location / {
        root /var/www/html;
        index index.html;
    }
}

Explanation of parameters:

• `max-age=31536000`: This is the duration (in seconds) for which the HSTS policy should be remembered by browsers.
• `includeSubDomains`: This option enforces the HSTS policy on all subdomains.
• `preload`: This option ensures that the domain is included in the HSTS preload list maintained by browsers.

Once the configuration is added, reload Nginx to apply the changes:

sudo systemctl reload nginx

To confirm that HSTS is configured correctly, you can inspect the response headers of your website using the browser's developer tools or an online service such as SSL Labs' Test.

If HSTS is not working as expected, here are a few common issues to check:

• Ensure that SSL is properly configured before adding the HSTS header.
• Make sure the `Strict-Transport-Security` header is being sent over HTTPS (it will not be sent if the site is accessed via HTTP).
• Verify that there are no conflicting directives that might override or block the HSTS header.

• MDN Web Docs: Strict-Transport-Security
• SSL Labs' SSL Test
• KeyCDN HTTP/2 Test
• HSTS Preload List
• Apache HTTP Server Documentation
• NGINX Documentation