After securing one of my servers with Let’s Encrypt, I was a bit disappointed that my website only got an A result on the Qualys SSL Server Test. Why did I not get the much sought-after A+?
Browsing the Protocol Details of the report, I discovered that my website was lacking Strict Transport Security (HSTS) support. This is how I enabled it on my Apache 2.4 web server running on Debian 8…
First, enable the Strict Transport Security in your SSL VirtualHost file (mine was /etc/apache2/sites-enabled/000-default-le-ssl.conf):
<VirtualHost *:443> ServerName myhost.mydomain.be <IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" </IfModule> </VirtualHost>
Then, enable the Headers module on the command line and restart apache:
# a2enmod headers Enabling module headers. To activate the new configuration, you need to run: service apache2 restart # service apache2 restart
After that, congratulate yourself on that well-earned A+ score!