Enable HTTP Strict Transport Security (HSTS) on Apache HTTPD

This guide explains how to enable HTTP Strict Transport Security (HSTS) on Apache HTTPD.

  • The first step is to verify that Apache HTTPD headers module is enabled. Check the following text in /etc/httpd/conf.modules.d/00-base.conf or /etc/httpd/conf/httpd.conf.

LoadModule headers_module modules/mod_headers.so

  • Add the following text in /etc/httpd/conf.d/ssl.conf to <VirtualHost *:443> virtual host or for each SSL enabled virtual host.

Header always set Strict-Transport-Security "max-age=58099000; includeSubDomains"

  • The final step is to redirect traffic from the non-encrypted virtual host to HTTPS as follows:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

  • Restart HTTPD service as follows:

systemctl restart httpd

Leave a Reply