Enabling HSTS in Apache on OES

  • 7025122
  • 27-May-2021
  • 27-May-2021

Environment

Open Enterprise Server 2018 (OES 2018) Linux Support Pack 2
Open Enterprise Server 2018 (OES 2018) Linux Support Pack 1

Situation

Enabling HSTS in Apache on OES

Resolution

1) Run this command to enable headers:
a2enmod headers


2) Add the following line to /etc/apache2/vhosts.d/vhost-ssl.conf at the top of the VirtualHost section. Also, add this line to any custom Virtual Hosts configured on the server:

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"


<VirtualHost _default_:443>
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"

# General setup for the virtual host
DocumentRoot "/srv/www/htdocs"


3) Restart apache2 with this command:
systemctl apache2 restart


4) One way to test HSTS is using curl with a command such as this (does not work with self-signed certs):
curl -I https://example.com

If HSTS is successfully enabled, the output will include:

Strict-Transport-Security: max-age=63072000; includeSubdomains;