Enable HSTS in Apache2 SSL vhost

This tutorial explains how to enable HTTP Strict Transport Security (HSTS) in a Apache2 SSL vhost. HSTS is a method to instruct browsers that they always have to contact a certain website over https. It’s described in RFC 6797.

Enable HSTS header

As explained in the previous post, I was able to increase my SSL Labs rating from C to A by carefully instructing Apache2 which ciphers to use. We can increase the rating from A to A+ by adding the following configuration to the <VirtualHost> section of the vhost config.

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"

Please note that this header will force browsers to use the https version for all your subdomains as well. Feel free to remove the last word if that’s not what you want.

SSL Labs result

This is the new result of a SSL Labs scan.

SSL Labs result with HSTS in Apache2 SSL vhost

SSL Labs result with HSTS

Leave a Reply

Your email address will not be published. Required fields are marked *