This guide explains how to enable HTTP Strict Transport Security (HSTS) on Apache HTTPD.
- The first step is to verify that Apache HTTPD headers module is enabled. Check the following text in /etc/httpd/conf.modules.d/00-base.conf or /etc/httpd/conf/httpd.conf.
LoadModule headers_module modules/mod_headers.so
- Add the following text in /etc/httpd/conf.d/ssl.conf to <VirtualHost *:443> virtual host or for each SSL enabled virtual host.
Header always set Strict-Transport-Security "max-age=58099000; includeSubDomains"
- The final step is to redirect traffic from the non-encrypted virtual host to HTTPS as follows:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</IfModule>
- Restart HTTPD service as follows:
systemctl restart httpd