Apache Security Tip: Use HTTP Strict Transport Security with mod_headers

When it comes to securing your website and protecting sensitive user data, implementing the right security measures is crucial. One such measure is using HTTP Strict Transport Security (HSTS) with mod_headers in Apache. In this article, we will explore what HSTS is, how it works, and how you can enable it on your Apache server.

What is HTTP Strict Transport Security (HSTS)?

HTTP Strict Transport Security (HSTS) is a security policy mechanism that allows a website to inform the user’s browser that it should only communicate with the website over a secure HTTPS connection. It helps prevent downgrade attacks and ensures that all communication between the browser and the website is encrypted.

When a browser receives the HSTS header from a website, it remembers the policy for a specified period of time (usually a few months). During this time, the browser will automatically redirect any HTTP requests to HTTPS, even if the user manually enters an HTTP URL or clicks on an HTTP link.

Enabling HSTS with mod_headers in Apache

To enable HSTS on your Apache server, you need to have the mod_headers module installed and enabled. Most modern Apache installations come with this module by default. If you’re unsure, you can check if the module is enabled by running the following command:

apachectl -M | grep headers_module

If the module is enabled, you can proceed with the configuration. Open your Apache configuration file (usually located at /etc/apache2/apache2.conf or /etc/httpd/conf/httpd.conf) and add the following lines:

<IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</IfModule>

The max-age directive specifies the duration (in seconds) for which the HSTS policy should be cached by the browser. In the example above, it is set to one year (31536000 seconds). The includeSubDomains directive ensures that the HSTS policy applies to all subdomains of your website. The preload directive indicates that your website should be included in the HSTS preload list maintained by browsers.

After making the changes, save the configuration file and restart Apache for the changes to take effect:

sudo service apache2 restart

Testing HSTS Implementation

Once you have enabled HSTS on your Apache server, you can test its implementation using various online tools such as hstspreload.org or securityheaders.com. These tools will analyze your website’s response headers and provide feedback on the HSTS configuration.

Summary

Implementing HTTP Strict Transport Security (HSTS) with mod_headers in Apache is an effective way to enhance the security of your website. By enforcing secure HTTPS connections and preventing downgrade attacks, you can protect your users’ data and build trust. To enable HSTS, ensure that the mod_headers module is enabled on your Apache server and add the appropriate configuration to your Apache configuration file. For more information on VPS hosting and securing your website, visit Server.HK.