How to Enable HTTP Strict Transport Security (HSTS) for Apache?

HTTP Strict Transport Security (HSTS) is a security policy component that assists with safeguarding sites against protocol for downsize attacks and cookies highjacking by forcing the HTTPS connections. Using HSTS on your Apache web server improves the security of your site.

Prerequisites

• Access: Admin access to your Apache web server.
• SSL/TLS Certificate: Installed and configured on your Apache server.
• Apache: Installed and running.
• Text editor: Like nano or vim, for changing configuration files.

Introduction to HSTS

HTTP Strict Transport Security (HSTS) is a web security system that assists with safeguarding websites against conventional DDoS assaults and cookie hijacking. It permits a web server to tell web browsers (or other consenting users) to interface with it using secure HTTPS systems, and never by method of the insecure HTTP systems.

Importance of HSTS in web security

HTTP Strict Transport Security (HSTS) is a critical component in web security intended to improve the security of user information and some particular sorts of attacks. It works by telling web browsers to just cooperate with a website over a secure HTTPS association, regardless of whether the user wants to get to it through an insecure HTTP connection. This guarantees that important data, for example, login certifications or money transactions, remains encoded and safeguarded from hackers.

 Why Use HSTS?

HSTS keeps hackers from driving a user's browser to minimize a secure HTTPS association with an insecure HTTP association. In a regular minimization hacking situation, a hacker captures correspondence between a user and a website and controls it to drive the use of HTTP rather than HTTPS. This minimization can open delicate data to block attempts or alteration.

HSTS handles this by training consistent web browsers to just use a website over HTTPS, whether or not the user at first enters an HTTP or HTTPS URL. When a user visits a website that has empowered HSTS, their browser recalls this mandate for a predetermined period (constrained by the "maximum age" order), guaranteeing all resulting associations with that webpage are consequently secured with HTTPS.

How to check if Apache is installed and running?

Checking whether the Apache is installed and running can be done using the following command:

apache2 -v

This command will tell the Apache version if it is correctly installed in the system, after confirming the installation, to check whether it is running or not use the following command:

sudo systemctl status apache2     # for Debian-based system
ssudo systemctl status httpd       # for Red Hat-based systems

How to ensure SSL/TLS is correctly configured on Apache?

To check whether SSL is correctly configured on Apache, you will have to enable and run the mod_ssl package, for refer to the article mentioned below:

• How To Enable mod_ssl in Apache?
• Once the above steps are completed, we can continue to enable HSTS for Apache.

Steps to enable HTTP Strict Transport Security (HSTS) for Apache

Step 1: Open the default SSL file

Open the directory where the site's files are stored, and open the 000-default-le-ssl.conf, for this use the following command:

vim sites-available/000-default-le-ssl.conf

Note: The directory can vary depending on where you have kept your local host files.

Step 2: Add HSTS Header

The next step is to insert the HSTS code between the SSL code, as you can see below, the empty area is where the code should be.

In the space enter the following code:

Header always set Strict-Transport-Security max-age=31536000

Examples of parameters which can be used in HSTS:

• max-age: When a browser gets the maximum age, it will naturally change over all HTTP connections to HTTPS during the period. a server sends max-age=31536000, the browser will implement HTTPS for that site for one year.
• includeSubDomains: it deploys the HSTS to all subdomains of the website. This implies that HTTPS will be implemented for the website as well as for all subdomains.
• preload: Browsers keep a preload rundown of websites that have been picked into HSTS preload. At the point when a website is on this rundown, browsers will use HTTPS for the area and subdomains in any event, for users who have never visited the site

Step 3: Restart Apache

The next step is to reload the Apache server, for this run the following command in the terminal:

Linux (Debian/Ubuntu):

sudo systemctl restart apache2

Linux (Red Hat/CentOS):

sudo systemctl restart httpd

Step 4: Open the site directory in Vim

The next step is to open the site directory in the Vim editor, to do this type the following command into your terminal:

vim sites-available/directory-name/

Step 5: Add security code

The next step is to add the security code in this file similar to the one we added previously, so add the following code in the code:

Header always set Strict-Transport-Security max-age=31536000

Step 6: Reload the service

The next step is to reload the service, for this run the following command in the terminal:

systemctl reload nginx

Step 7: Verify Configuration

To check whether the site is now secured by HSTS or not, open the site in the browser and open developer tools > network > select the site and see if the following security property is being displayed or not.

If it's displayed similarly to the image then it means that the HSTS is implemented successfully.

Conclusion

Including HTTP Strict Transport Security (HSTS) for Apache is an important move towards improving web security by guaranteeing all data sent with the site and with your server are encoded over HTTPS. by adding HSTS headers, you can protect the site against attacks and also increase user privacy. make sure to carefully set the HSTS header parameters, including the max-age, etc.