1. Support Center
  2. SSL / TLS Vulnerabilities
  3. Vulnerabilities requiring reconfiguration

How to enable HSTS

The web server does not offer HTTP Strict Transport Security. HSTS enforces HTTPS connections. This prevents downgrade attacks to an insecure HTTP connection.

Security Assessment

Security_Assessment_EnableHSTS

CVSS Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

What is HSTS?

HTTP Strict Transport Security (HSTS) is a web security policy that ensures that browsers always connect to websites via HTTPS. Part of its purpose is to remove the need to redirect users from HTTP to HTTPS website versions or secure any such redirects.

This is achieved via the HSTS header sent by the server back to the client at the beginning of the connection. This header informs the browser that after the first visit, which HSTS does not cover, it should interact with the website only via HTTPS.

The Strict Transport Security header also prevents users from ignoring browser warnings about invalid or insecure SSL/TLS certificates. 

How to enable HSTS?

Below you can find examples of how to enable HSTS on different platforms. 

It’s important to note that when deploying, HSTS policy should be declared at the base domain (sometimes called the root domain, though there is a difference). In our case, that would be https://crashtest-security.com/ instead of https://www.crashtest-security.com/. 

To cover subdomains, the includeSubDomains directive should be utilized. But for this to work, all subdomains associated with the base domain must naturally also support HTTPS. 

Use the following guides to set the correct header enabling HSTS.

Let’s Encrypt

With Let’s Encrypt, it is straightforward to enable HSTS. When creating a new certificate, just ad the –HSTS flag. If your certificates are already generated by Let’s Encrypt, just run the same command and choose “Attempt to reinstall this existing certificate” as the first option. This will reuse your certificate and enable HSTS stapling.

certbot run -d [DOMAIN] --staple-ocsp --hsts

nginx

On Nginx you need to update your SSL configuration which is usually located at /etc/nginx/nginx.conf, /etc/nginx/sited-enabled/yoursite.com (Ubuntu / Debian) or /etc/nginx/conf.d/nginx.conf (RHEL / CentOS) to include the correct header with the add_header directives:

server {
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; ";

listen 443;
server_name example.org;

root /usr/share/nginx/www;
index index.html index.htm;

ssl on;
ssl_certificate /etc/nginx/ssl/example.org/server.crt;
ssl_certificate_key /etc/nginx/ssl/example.org/server.key;

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;
}

Strict Transport Security Apache

On Apache you need to update your SSL configuration to include the correct Header directives. Add this to the virtual host configuration in /etc/apache2/sites-enabled/domain.conf or /etc/httpd/sites-enabled/domain.conf:

<IfModule mod_ssl.c>
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
<VirtualHost *:443>
Header always set Strict-Transport-Security "max-age=31536000"

ServerAdmin webmaster@localhost
ServerName example.com
DocumentRoot /var/www

SSLEngine on

SSLCertificateFile /etc/apache2/ssl/example.com/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/example.com/apache.key

SSLCACertificateFile /etc/ssl/ca-certs.pem
SSLUseStapling on
</VirtualHost>
</IfModule>