Environment
Situation
Resolution
1) Run this command to enable headers:
a2enmod headers
2) Add the following line to /etc/apache2/vhosts.d/vhost-ssl.conf at the top of the VirtualHost section. Also, add this line to any custom Virtual Hosts configured on the server:
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
<VirtualHost _default_:443>
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
# General setup for the virtual host
DocumentRoot "/srv/www/htdocs"
3) Restart apache2 with this command:
systemctl apache2 restart
4) One way to test HSTS is using curl with a command such as this (does not work with self-signed certs):
curl -I https://example.com
If HSTS is successfully enabled, the output will include:
Strict-Transport-Security: max-age=63072000; includeSubdomains;