How to configure the HSTS (HTTP Strict Transport Security) header for our web pages running on our Apache web server

botond published Jan. 2023, 01, 11:23 p.m. time

Content

 

Introductory

A HSTS by using a header, we can make our websites more secure Man-in-the-middle against these types of attacks. In this short description, we will see how to set this HTTP header Apache based LAMP, or ISPConfig in our server environment.

 

 

Prerequisites

To use the HSTS header, the headers Apache module. On more complex servers, this was already turned on during the installation, but if, for example, we only have a simpler LAMP server, we can turn it on with the following commands:

sudo a2enmod headers
sudo systemctl restart apache2

 

HSTS setup

The HSTS header can be easily set, whether it is a simple LAMP server or a more complex ISPConfig server environment.

Setup on a LAMP server

On LAMP servers, we can only do this if it is already configured SSL also to the website, otherwise the whole thing has no right to exist. Of course, the certificate can also be a self-signed certificate for development purposes, the main thing is to have some kind of SSL set up.

To set it up, log in as root, then go to the following directory:

cd /etc/apache2/sites-available/

then open the .vhost file belonging to the website to be set up Virtual hosting file in this directory:

nano xxxx.vhost

Then find the section below:

<VirtualHost *:443>

[...]

</VirtualHost>

And add the following lines to it:

    <IfModule mod_headers.c>
        Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    </IfModule>
In such cases, I use indents only because of the manually edited nature of the virtualhost file, so that these files remain more readable. In the case of ISPConfig below, our ISPConfig panel already manages them, so aesthetics no longer matter there.

HTTPS redirection

Note that the above setting (a *:443 within the section) only applies to the HTTPS virtual host, i.e. when someone connects with the HTTPS protocol from the start. Therefore, we also have to protect the plain HTTP virtual host part so that even the first connection is secure, even if someone tries to connect using the unencrypted HTTP protocol.

The best way to do this is to set a redirect to HTTPS.

Now look for the HTTP (*:80) virtualhost block here:

<VirtualHost *:80>

[...]

</VirtualHost>

And in this section, add the following lines somewhere:

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L,NE]
If you already have it somewhere RewriteEngine On our row, then, omitting this row, insert the remaining two directly after it. But it's not a problem if we put it all at the very beginning of the virtualhost block (the only point is that the RewriteEngine On line must be before the other two), because in this way the "L" flag in the rewrite rule ensures that the rule after its application, it stops further processing, so we can be sure that nothing else will be executed after the redirection. It follows from the logic of this that it is therefore more expedient to run this as early as possible, so that as few other things are executed.

With this, we also protected the plain, text-based HTTP connection.

If we consider it a more convenient solution, these three lines can even be placed at the very beginning of the .htaccess file placed in the web root, so that it will be executed in all cases, regardless of HTTP or HTTPS connections.

Once everything is done, restart Apache:

systemctl restart apache2

With that, we would be ready on the LAMP server.

 

 

Setting in the ISPConfig control panel

To set up ISPConfig, click here Debian 10 (Buster) perfect server I'm using it for demonstration, as it has a working web account, so no special preparation is needed to set it up.

To set it up, log in to the control panel as an admin, then go to the Sites main menu. Here, select the website you want to set up:

ISPConfig - Select Website

Here, go to the Options tab, then scroll down to the bottom of the form:

ISPConfig - Website Setup - Apache Directives

Then insert the following section into the Apache directives field as shown in the image:

<IfModule mod_headers.c>
Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</IfModule>

Then save it.

Directive template setup

If you operate many websites, it is more appropriate to set such settings as a directive template (directive snippet), the essence of which is to store the setting itself in one place, and only insert the template (snippet) associated with the setting in the individual setting sections of the websites. To do this, go to the System main menu and select "Directive snippets" from the menu in the left column, then add a new item:

Set directive snippet

Here, give a name to our template, for example "HSTS Header", choose Apache (default) as the type, then put the above-mentioned three-line code fragment in the Snippet field, then save it. Then, if we go back to the website settings, where we previously set this code fragment, then the "Available Apache Directive Snippets:" under the line, our "HSTS Header" setting is also in the form of a link:

Using a directive template

If you click on this [HSTS Header] link here, it will paste the code snippet you downloaded into the field. That way, if we later add a new website to the control panel, we don't have to search for the things to be set, but only from here we can plug in the necessary code snippets that we saved as a template.

HTTPS redirection

One of the weaknesses of HSTS is that it does not provide protection during the very first visit. That is why it is already safe during the first visit HTTPS our visitors connect with a connection, turn on HTTPS redirection - if we haven't done this before.

To do this, go back to the website settings and select the Redirect tab here:

ISPConfig - Website Setup - HTTPS Redirection

And here let's set the "Rewrite HTTP to HTTPS" option, as shown in the picture. Let's save it.

With these settings, we therefore exclude anyone from connecting to our website via the unencoded, text-based outdated HTTP connection.

 

 

Inspection, testing

We can check the effectiveness of our work in two ways.

Check in your browser

We can do this in all browsers, I will show you how to check our set HTTP header in Chrome.

After completing the previous settings, load the website or update it so that the settings take effect. Then click anywhere on the website with the right mouse button, then select the "Examination" option below in the pop-up menu:

Browser - Website scan

Click here Network tab, then below it says to refresh the page to record network activity. Let's press one CTRL + R key combination, or one F5-five.

Then the parts of the page are loaded:

Browser - Website scan - Network

Here, click on any cell of the first (Name) column, then the URL request and response header data for the item will be loaded:

Browser - Website scan - Network - Headers

Here, scroll down until you find our configured HSTS header:

Browser - Website Scan - Network - Headers - HSTS

Testing with a web service

The other option to check the HSTS HTTP header is to try it on a website created for this purpose. There are many such sites, in this example we will try the following web verification system:

https://geekflare.com/tools/hsts-test

If we enter our domain name here, it will output the result. Of course, here we can only test websites accessible from the Internet, so let's look at the linuxportal.info domain:

HSTS testing site

And if we scroll down, the exact header setting is also displayed:

HSTS testing site

 

 

Conclusion

Setting up the HSTS HTTP header is not complicated and in return offers a higher degree of protection for both our websites and our visitors.