Enabling HSTS

HTTP Strict Transport Security is a very simple to deploy addition to HTTPS, it doesn’t enforce SSL itself but it uses pre-populated lists such as Google’s here.  Allowing clients browsers to check against, simply that the site only delivers content over https://, with no exceptions, this ensures that Man in the Middle attacks are not possible. While the only possible vulnerability this site would have had for an MitM attack would be on the contact me page, it’s nice to see the shiny A+ compared to my old banks B rating.

ssllaps-hsts

for me it’s just an exercise and vanity, but as you can see it will be nice when the banks follow suit, as they are mostly really insecure (don’t online bank on public WiFi, really don’t do it till they start employing HSTS and stop using insecure cyphers).

The steps to enable HSTS for Apache

Enable Headers and restart Apache:

$ sudo a2enmod headers
$ sudo service apache2 restart

Make sure the site is serving all content over https / port 443, either in your vhost config with something like:

<VirtualHost *:80>
 ServerName yourdomain.com
 Redirect permanent / https://yourdomain.com/
</VirtualHost>

or adding this to your .htaccess:

RewriteEngine On 
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$ https://yourdomain.com/$1 [R=301,L]

Check for any mixed content issues (insecure stuff loading in your now secure page), this tester will point you in the right direction.

And again in the .htaccess, add the required header itself.

<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
</IfModule>

15552000 is about 6 months in seconds, and satisfies the ssllabs tests, lower will work for Google, even as low as 6 weeks, but as enabling  HSTS is difficult to reverse, it will make little difference and you might as well earn an A+ rating.

Run a test at https://www.ssllabs.com/ssltest/analyze.html and check near the bottom for:

Strict Transport Security (HSTS) Yes
 max-age=15552000; includeSubDomains; preload

If you see that, all is good, add your domain to be included in the Google Chrome’s HSTS preload list here https://hstspreload.appspot.com/

All the other browsers “feed” from the centralised list, as of today I’ve not been added, there is no reason I won’t be.

One thought on “Enabling HSTS”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.