How to Enable HSTS for Enhanced Web Security in Apache?
Last Updated :
25 Jun, 2024
HSTS enhances website security by forcing browsers to connect only via HTTPS, preventing HTTP connections. This protects against hacking and spying. To enable HSTS in Apache, add the "Strict-Transport-Security" header to your configuration file. This instructs browsers to always use a secure connection. Follow the steps carefully to implement HSTS and improve web security.
HSTS Uses
- Stop Man in the Middle attacks: Without the HSTS the bad people can trick browsers into using an insecure connection to your site. This lets them see all the information going between the browser and your site. HSTS stops this by forcing the browsers to only use the secure and encrypted connection that bad people cannot spy.
- Stop cookie hijacking: Websites use small data files called cookies to remember users and their information. Without a secure connection, bad people can steal these cookies and use them to pretend to be the user. HSTS ensures all the connections are secure keeping the cookies safe from being stolen.
- Meet browser requirements: Modern web browsers want to keep users safe. Some browsers now require websites to use the secure HTTPS connections. If a site does not use the HTTPS the browser may show the warning message saying the site is not secure. Enabling the HSTS helps your site to follow these browser rules and avoid scaring users with the security warnings.
Configuring HSTS in Apache
Step 1: Locate config file
This important file tells Apache how to run your site. It may called the "httpd.conf", "apache2.conf", or "ssl.conf". You can usually find it in the "/etc/apache2" or in the "/etc/httpd" folder.
Step 2: Turn on headers
HSTS is sent as a special header instruction. To use headers, you need to turn them on first. On some systems, you can do this by typing the below commands.
Command:
sudo a2enmod headers
sudo service apache2 restart
Output:
OutputStep 3: Add the HSTS header
Open the config file in a text editor program by using the below command and Find the section for your website. Add this line of code inside that section.
Add the below line of code in the configuration file. This line tells browsers to always use the secure HTTPS connection to your site and subdomains for one year.
Code:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Command:
sudo gedit /etc/apache2/sites-enabled/000-default.conf
Output:
OutputStep 4: Restart Apache
After saving the change, you need to restart Apache for the new setting to work. Do this by typing the below command into the terminal.
Command:
service apache2 restart
Output:
OutputThat's it! You have now set up HSTS to make your Apache website more secure.
Optimizing HSTS in Apache
- Use a long max-age:The max-age setting tells browsers how long to use HTTPS for your site. A longer time like 1 year makes it more secure. But if you stop using HTTPS later, browsers will still try to connect that way until the max-age time runs out.
- Include subdomains:Adding includeSubDomains tells browsers to use HTTPS for all your site's subdomains too. But first make sure all subdomains can use HTTPS, or users may have trouble connecting.
- Preload HSTS: Preloading makes browsers use HTTPS even on the first visit to your site. To do this, add "preload" to your HSTS setting. Then you can submit your site to a special preload list at https://hstspreload.org. But be careful, because getting removed from this list later is very hard.
Code:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Renew SSL on timeHSTS requires an SSL certificate to enable HTTPS. If your certificate expires, browsers may block your site until you get a new one. Test it works right: After setup, use online test tools to make sure HSTS is working properly on your site. These can catch any problems you need to fix.
Conclusion
In conclusion setting up the HSTS is very important for making your Apache website secure. It forces browsers to only use the safe HTTPS connection, protecting your site and users' information from bad people. Following this guide helps you enable HSTS properly. With HSTS on, your website becomes much more secure and safe for users to visit.
Similar Reads
How to Enable HTTP Strict Transport Security (HSTS) for Apache?
HTTP Strict Transport Security (HSTS) is a security policy component that assists with safeguarding sites against protocol for downsize attacks and cookies highjacking by forcing the HTTPS connections. Using HSTS on your Apache web server improves the security of your site. PrerequisitesAccess: Admi
5 min read
How to Enable CORS in Apache Web Server?
Cross-Origin Resource Sharing(CORS) is a security feature that allows web browsers to make requests to a different domain than the one serving the web page. without CORS, browsers restrict such requests due to security concerns. Enabling CORS ensures that your web server responds correctly to cross-
2 min read
How to Enable & Set Up .htaccess File on Apache?
The .htaccess is a simple but extremely powerful configuration file used by the web servers running on apache web server software. this .htaccess file allow to alter and change their configuration of the main configuration files without even having direct access to them. In this guide, we will look
3 min read
How to Enable mod_rewrite for Apache 2.2?
Enabling mod_rewrite in Apache 2.2 on a Windows system involves a few simple steps. mod_rewrite is a powerful Apache module used for URL rewriting, which helps create cleaner, more SEO-friendly URLs. Here is a detailed guide on how to enable it on Windows. PrerequisitesApache installedAdministrator
3 min read
How To Enable or Disable CGI Scripts in Apache?
This article will guide you on how to enable or disable CGI scripts in Apache. Configuring CGI scripts in Apache is a crucial aspect of managing dynamic content generation on web servers. The Common Gateway Interface (CGI) provides a standardized protocol for executing programs, allowing websites to
4 min read
How To Install the Apache Web Server on Debian 11?
Apache is an open-source web server that’s available for Linux servers free of charge. Installing an Apache web server on Linux is a straightforward process. In this article, we will install Apache Web Server Debian 11 (Bullseye). Steps to Install Apache Web Server in LinuxStep 1: Update Your System
3 min read
How to Enable HTTP/2 protocol support in Apache?
HTTP/2 is a significant update to the HTTP protocol. It was created to outperform HTTP 1.1 in terms of performance and latency. The applications operate way faster and more efficiently if we enable HTTP/2 on our Apache server. PrerequisitesApache Version: 2.4.17 or later.OpenSSL Version: Ensure Open
2 min read
How To Install the Apache Web Server on CentOS 7
Apache Web Server, commonly known as Apache is a free, open-source, and one of the most widely used web servers in the world. Apache web server is developed and maintained by Apache Software Foundation. Apache is not any physical server, it is a software application running either on a physical/virt
4 min read
How to Change Apache HTTP Port in Linux?
The Apache HTTP server is one of the internet's most popular web servers today, thanks to its versatility, consistency, and a plethora of features, some of which are actually not available on other web servers, such as Nginx's competitor. Some of Apache's most significant features include the abilit
2 min read
How to Disable HTTP Methods in Apache?
To prevent the collection of specific system calls that could offer attackers Windows running Apache servers a backdoor, we can Turn off unwanted HTTP methods on the Apache web server. This increases the security of our web application and prevents unwanted attacks. PrerequisitesApache InstalledAdmi
2 min read