How to enable HTTP Strict Transport Security (HSTS) on Apache and Nginx
Hello colleagues.
In today's article, we'll talk about how you can include an additional security header on your site in HTTP headers called HTTP Strict Transport Security, in short, it is also called HSTS.
The HTTP Strict Transport Security HTTP header was created back in 2012. This header is used to force the web browser to use secure connections when the site is running over the HTTPS protocol. The moment a user wants to try to use the non-secure (HTTP) version of your website page, they will immediately be automatically redirected to the secure HTTPS page. The HTTP Strict Transport Security header prevents an attacker from overriding an invalid certificate message.
There are several different ways and directives that can be applied to the HSTS header, and we will use the simplest way using the max-age directive. The max-age directive defines the time in seconds during which the web server should only deliver content over the HTTPS protocol. It is best to specify the time 1 year in seconds.
Article content:
- Enabling the HTTP Strict Transport Security header in Apache.
- Enable the HTTP Strict Transport Security header in Nginx.
1. Enable the HTTP Strict Transport Security header in Apache.
To enable the HTTP Strict Transport Security HTTP header on the Apache web server, you need to add a special max-age directive in the main web server configuration file. Depending on your Linux operating system, the configuration file may be stored in different directories.
Open the Apache web server configuration file with any text editor convenient for you.
Debian/Ubuntu
$. sudo vim /etc/apache2/apache2.conf
RHEL/CentOS
$. sudo vim /etc/httpd/conf/httpd.conf
Add the max-age directive to the beginning of the file.
Header always set Strict-Transport-Security max-age=31536000
After adding the directive, be sure to restart the Apache web server so that our changes are successfully applied.
Debian/Ubuntu
$. sudo service apache2 restart
RHEL/CentOS
$. sudo service httpd restart
Restart the browser and check.
As we can see as a result, our Apache web server now successfully passes the HTTP Strict Transport Security HTTP header to us.
2. Enable the HTTP Strict Transport Security header in Nginx.
To enable the HTTP Strict Transport Security HTTP header on the Nginx web server, you need to add a special directive in the main web server configuration file. The main Nginx configuration file is located at /etc/nginx and is called nginx.conf.
Open the Nginx web server configuration file with any text editor convenient for you.
$. sudo vim /etc/nginx/nginx.conf
Adding a directive to the http object.
http {
add_header Strict-Transport-Security "max-age=31536000";
}
After adding the directive, be sure to restart the Nginx web server so that our changes are successfully applied.
$. sudo service nginx restart
Restart the browser and check.
As you can see, as a result, now our Nginx web server successfully passes the HTTP Strict Transport Security HTTP header to us.
Thank you all, I hope my article was of some help to you.
