This tutorial explains how to enable HTTP Strict Transport Security (HSTS) in a Apache2 SSL vhost. HSTS is a method to instruct browsers that they always have to contact a certain website over https. It’s described in RFC 6797.
Enable HSTS header
As explained in the previous post, I was able to increase my SSL Labs rating from C to A by carefully instructing Apache2 which ciphers to use. We can increase the rating from A to A+ by adding the following configuration to the <VirtualHost> section of the vhost config.
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Please note that this header will force browsers to use the https version for all your subdomains as well. Feel free to remove the last word if that’s not what you want.
SSL Labs result
This is the new result of a SSL Labs scan.