How to Enable HSTS for Apache, NGINX, IIS & Lighttpd Servers

How to Enable HSTS for Apache, NGINX, IIS & Lighttpd Web Servers. HSTS stands for HTTP Strict Transport Security it is a mostly widely used protocol used with the HTTPS protocol. HSTS take care HTTPS to remain run the website secure with the HTTPS protocol.  HSTS is the most widely adopted security methods for the HTTPS website. It remains used and adopted by most the HTTPS websites over the Web. It is used to redirect users from HTTP to HTTPS. It provides 301 redirect to the main HTTPS site without any error or warning.

What is the important role of HSTS on HTTPS connection

  1. It provide redirect to the HTTPS when user wrongly type HTTP on their web browser.
  2. It removes warning about invalid SSL certificates.
  3. It always use the HTTPS connection when HSTS is enabled.
  4. It always return HTTP header to the HTTPS secure connections.
  5. HSTS is the must used for HTTPS connection to avoid trivial attacks to HTTPS websites.
  6. When HSTS is active, the “http://” always change with “https://” at web server request using HSTS protocol.
  7. It provides additional security against hijacking and malicious attacks.

What is the Default HSTS parameter

Recommended HSTS parameter

Strict-Transport-Security: max-age=expireTime

Here; expireTime: shows time in seconds here minimum period should be set for 18 weeks only.

HSTS parameter with sub-domain support

Strict-Transport-Security: max-age=expireTime [; includeSubDomains]

Here; includeSubdomains: means you should add the sub-domain support to the parent domain for HSTS.

How to Enable HSTS for Apache Web Servers

Step-1 (Apache Header Modules)

You must enable the a2enmod headers in Apache Header Modules

Step-2 (Add Header to the virtual host directives)
With sub-domain support (For one year)
<VirtualHost IP-Address:443>
Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains"
</VirtualHost>
Without sub-domain support (For one year)
<VirtualHost IP-Address:443>
Header always set Strict-Transport-Security "max-age=31536000"
</VirtualHost>
Step-3 (Add permanent redirect to HTTPS to virtual host)
<VirtualHost *:80>
[...]
ServerName techbrown.com
Redirect permanent / https://techbrown.com/
</VirtualHost>
Step-4 (Restart the Apache services)

To enable full functions you need to restart the Apache services on respective operating systems.

How to Enable HSTS for NGINX Web Servers

Step-1 (Add these headers to the server blocks for one year)
add_header Strict-Transport-Security max-age=31536000;
Step-2 (Restart the NGINX services)

To enable full functions you need to restart the NGINX services on respective operating systems.

How to Enable HSTS for Lighttpd Web Servers

Step-1(Add the following lines to the configuration files for one year)
server.modules += ( "mod_setenv" )
$HTTP["scheme"] == "https" {
setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=31536000; includeSubdomains")
}
Step-2 (Restart the Lighttpd services)

To enable full functions you need to restart the Lighttpd services on respective operating systems.

How to Enable HSTS for Microsoft’s IIS Web Servers

Step-1 (Open IIS Manager for HTTP Response Header)

http response header

Step-2 (Add custom HTTP Response Header for one year)

add-http-response-header

Step-3 (Restart the IIS services)

To enable full functions you need to restart the IIS services on respective windows operating systems.

Reference: More information about HSTS

Final Words

Thats all now now you have secure your HTTPS websites by enabling the the security with HSTS protocols. It is the most recommended security tip to enable over the HTTPS website in order to secure wit over various attacks. If you have any issues or questions regarding this topic you may use the comment section below.

Hot Right Now

Related Post

COMMENTS