Enable HSTS

The webserver does not offer HTTP Strict Transport Security (HSTS). HSTS enforces HTTPS connections. This prevents downgrade attacks to an insecure HTTP connection.

Security Assessment

Security_Assessment_EnableHSTS

CVSS Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Vulnerability Information

The webserver does not offer HTTP Strict Transport Security (HSTS). HSTS enforces HTTPS connections. This prevents downgrade attacks to an insecure HTTP connection.

Guides

Use the following guides to set the correct header enabling HSTS.

Let's Encrypt

With Let's Encrypt it is very easy to enable HSTS. When creating a new certificate just ad the --hsts flag. If your certificates are already generated by Let's Encrypt, just run the same command and choose "Attempt to reinstall this existing certificate" as the first option. This will reuse your certificate and just enable HSTS stapling.

certbot run -d [DOMAIN] --staple-ocsp --hsts

Apache

On Apache you need to update your SSL configuration to include the correct Header directives. Add this to the virtual host configuration in /etc/apache2/sites-enabled/domain.conf or /etc/httpd/sites-enabled/domain.conf:

<IfModule mod_ssl.c>
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
<VirtualHost *:443>
Header always set Strict-Transport-Security "max-age=31536000"

ServerAdmin webmaster@localhost
ServerName example.com
DocumentRoot /var/www

SSLEngine on

SSLCertificateFile /etc/apache2/ssl/example.com/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/example.com/apache.key

SSLCACertificateFile /etc/ssl/ca-certs.pem
SSLUseStapling on
</VirtualHost>
</IfModule>

nginx

On Nginx you need to update your SSL configuration which is usually located at /etc/nginx/nginx.conf, /etc/nginx/sited-enabled/yoursite.com (Ubuntu / Debian) or /etc/nginx/conf.d/nginx.conf (RHEL / CentOS) to include the correct header with the add_header directives:

server {
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; ";

listen 443;
server_name example.org;

root /usr/share/nginx/www;
index index.html index.htm;

ssl on;
ssl_certificate /etc/nginx/ssl/example.org/server.crt;
ssl_certificate_key /etc/nginx/ssl/example.org/server.key;

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;
}

For more information about Crashtest Security visit crashtest-security.com