HSTS enhances website security by forcing browsers to connect only via HTTPS, preventing HTTP connections. This protects against hacking and spying. To enable HSTS in Apache, add the “Strict-Transport-Security” header to your configuration file. This instructs browsers to always use a secure connection. Follow the steps carefully to implement HSTS and improve web security.

HSTS Uses

• Stop Man in the Middle attacks: Without the HSTS the bad people can trick browsers into using an insecure connection to your site. This lets them see all the information going between the browser and your site. HSTS stops this by forcing the browsers to only use the secure and encrypted connection that bad people cannot spy.
• Stop cookie hijacking: Websites use small data files called cookies to remember users and their information. Without a secure connection, bad people can steal these cookies and use them to pretend to be the user. HSTS ensures all the connections are secure keeping the cookies safe from being stolen.
• Meet browser requirements: Modern web browsers want to keep users safe. Some browsers now require websites to use the secure HTTPS connections. If a site does not use the HTTPS the browser may show the warning message saying the site is not secure. Enabling the HSTS helps your site to follow these browser rules and avoid scaring users with the security warnings.

Configuring HSTS in Apache

Step 1: Locate config file

This important file tells Apache how to run your site. It may called the “httpd.conf”, “apache2.conf”, or “ssl.conf”. You can usually find it in the “/etc/apache2” or in the “/etc/httpd” folder.

Step 2: Turn on headers

HSTS is sent as a special header instruction. To use headers, you need to turn them on first. On some systems, you can do this by typing the below commands.

Command:

sudo a2enmod headers

sudo service apache2 restart

Output:

Output

Step 3: Add the HSTS header

Open the config file in a text editor program by using the below command and Find the section for your website. Add this line of code inside that section.

Add the below line of code in the configuration file. This line tells browsers to always use the secure HTTPS connection to your site and subdomains for one year.

Code:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Command:

sudo gedit /etc/apache2/sites-enabled/000-default.conf

Output:

Output

Step 4: Restart Apache

After saving the change, you need to restart Apache for the new setting to work. Do this by typing the below command into the terminal.

Command:

service apache2 restart

Output:

Output

That’s it! You have now set up HSTS to make your Apache website more secure.

Optimizing HSTS in Apache

• Use a long max-age:The max-age setting tells browsers how long to use HTTPS for your site. A longer time like 1 year makes it more secure. But if you stop using HTTPS later, browsers will still try to connect that way until the max-age time runs out.
• Include subdomains:Adding includeSubDomains tells browsers to use HTTPS for all your site’s subdomains too. But first make sure all subdomains can use HTTPS, or users may have trouble connecting.
• Preload HSTS: Preloading makes browsers use HTTPS even on the first visit to your site. To do this, add “preload” to your HSTS setting. Then you can submit your site to a special preload list at https://hstspreload.org. But be careful, because getting removed from this list later is very hard.

Code:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Renew SSL on timeHSTS requires an SSL certificate to enable HTTPS. If your certificate expires, browsers may block your site until you get a new one. Test it works right: After setup, use online test tools to make sure HSTS is working properly on your site. These can catch any problems you need to fix.

Conclusion

In conclusion setting up the HSTS is very important for making your Apache website secure. It forces browsers to only use the safe HTTPS connection, protecting your site and users’ information from bad people. Following this guide helps you enable HSTS properly. With HSTS on, your website becomes much more secure and safe for users to visit.

FAQs

What does HSTS do?

HSTS makes sure web browsers only use the secure HTTPS connection when visiting your website. It stops browsers from using the insecure HTTP connection that bad people can spy on.

Why should I enable HSTS?

Enabling HSTS protects your website visitors from bad people trying to steal their information or data. It keeps their connection to your site secure and private.

Is it hard to set up HSTS?

No, setting up basic HSTS in Apache is pretty simple. You just need to add one line of code to your Apache configuration file.

What happens if I disable HSTS later?

If you disable HSTS after enabling it, web browsers will still try to use HTTPS to connect to your site for a set amount of time, based on the max-age you configured.

Can HSTS cause problems with my website?

HSTS requires a valid SSL/TLS certificate for HTTPS. If your certificate expires, browsers may block access to your site until you renew it. So keeping your SSL cert up-to-date is important.