Enabling HSTS in Apache 2.4

After securing one of my servers with Let’s Encrypt, I was a bit disappointed that my website only got an A result on the Qualys SSL Server Test. Why did I not get the much sought-after A+?

Browsing the Protocol Details of the report, I discovered that my website was lacking Strict Transport Security (HSTS) support. This is how I enabled it on my Apache 2.4 web server running on Debian 8…

First, enable the Strict Transport Security in your SSL VirtualHost file (mine was /etc/apache2/sites-enabled/000-default-le-ssl.conf):

<VirtualHost *:443>
ServerName myhost.mydomain.be
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
</IfModule>
</VirtualHost>

Then, enable the Headers module on the command line and restart apache:

# a2enmod headers
Enabling module headers.
To activate the new configuration, you need to run:
service apache2 restart
# service apache2 restart

After that, congratulate yourself on that well-earned A+ score!

Leave a Reply

Your email address will not be published. Required fields are marked *