Skip to main content

Enable HTTP Strict Transport Security

The web server does not offer HTTP Strict Transport Security. HSTS enforces HTTPS connections. This prevents downgrade attacks to an insecure HTTP connection.

Security assessment

Security_Assessment_EnableHSTS

CVSS vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

About HSTS

HTTP Strict Transport Security (HSTS) is a web security policy that ensures that browsers always use HTTPS to connect to websites. Part of its purpose is to remove the need to redirect users from HTTP to HTTPS website versions or secure any such redirects.

This is achieved with the HSTS header that the server sends back to the client at the beginning of the connection. This header informs the browser that after the first visit, which HSTS does not cover, it should only use HTTPS to interact with the website.

The Strict Transport Security header also prevents users from ignoring browser warnings about invalid or insecure SSL/TLS certificates.

Prevent attacks

Below you can find examples of how to enable HSTS on different platforms.

It is important to note that when deploying, HSTS policy should be declared at the base domain (sometimes called the root domain, though there is a difference). For example, https://crashtest-security.com/ instead of https://www.crashtest-security.com/.

To cover subdomains, the includeSubDomains directive should be utilized. But for this to work, all subdomains associated with the base domain must naturally also support HTTPS.

Use the following guides to set the correct header enabling HSTS.

Let's Encrypt

With Let's Encrypt, it is straightforward to enable HSTS. When creating a new certificate, add the -HSTS flag. If your certificates are already generated by Let's Encrypt, run the same command and select Attempt to reinstall this existing certificate as the first option. This will reuse your certificate and enable HSTS stapling.

certbot run -d [DOMAIN] --staple-ocsp --hsts

Nginx

On Nginx you need to update your SSL configuration which is usually located in at/etc/nginx/nginx.conf,/etc/nginx/sited-enabled/yoursite.com (Ubuntu/Debian) or /etc/nginx/conf.d/nginx.conf (RHEL/CentOS), to include the correct header with the add_headerdirectives:

server {  
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; ";

listen 443;
server_name example.org;

root /usr/share/nginx/www;
index index.html index.htm;

ssl on;
ssl_certificate /etc/nginx/ssl/example.org/server.crt;
ssl_certificate_key /etc/nginx/ssl/example.org/server.key;

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;
}

Apache HTTP Strict Transport Security

On Apache you need to update your SSL configuration to include the correct Header directives. Add this to the virtual host configuration in /etc/apache2/sites-enabled/domain.conf or /etc/httpd/sites-enabled/domain.conf:

<IfModule mod_ssl.c>  
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
<VirtualHost *:443>
Header always set Strict-Transport-Security "max-age=31536000"

ServerAdmin webmaster@localhost
ServerName example.com
DocumentRoot /var/www

SSLEngine on

SSLCertificateFile /etc/apache2/ssl/example.com/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/example.com/apache.key

SSLCACertificateFile /etc/ssl/ca-certs.pem
SSLUseStapling on
</VirtualHost>
</IfModule>