HTTP Strict Transport Security (HSTS)

The HSTS Policy helps protect web application users against some passive (eavesdropping) and active network attacks. A man-in-the-middle attacker has a greatly reduced ability to intercept requests and responses between a user and a web application server, while the user’s browser has HSTS Policy in effect for that web application

So what we need?

Activate mod headers in apache:

a2enmod headers

HSTS header into VirtualHost:

Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains”

max age set the Time in seconds and includeSubDomains set the HSTS header also into your subdomains (recommended). If you don’t want his just only let it our and close after31536000.


One thought on “HTTP Strict Transport Security (HSTS)”

  1. It should be this:
    “max-age=31536000; includeSubDomains”
    Not this:
    “max-age=31536000 includeSubDomains”
    Notice the missing “;”

Leave a Reply

Your email address will not be published. Required fields are marked *