linux-audit.com
Open in
urlscan Pro
2a01:8800::77:80
Public Scan
URL:
https://linux-audit.com/configure-hsts-http-strict-transport-security-apache-nginx/
Submission: On December 12 via api from GB — Scanned from NL
Submission: On December 12 via api from GB — Scanned from NL
Form analysis 2 forms found in the DOM
GET https://linux-audit.com/
<form role="search" method="get" class="search-form" action="https://linux-audit.com/"><label><span class="screen-reader-text">Search for:</span><input type="search" class="search-field" placeholder="Search …" value="" name="s"></label><button
type="submit" class="search-submit"><span class="genericon-search"></span></button></form>POST https://linux-audit.com/wp-comments-post.php
<form action="https://linux-audit.com/wp-comments-post.php" method="post" id="commentform" class="comment-form">
<p class="comment-notes"><span id="email-notes">Your email address will not be published.</span> <span class="required-field-message">Required fields are marked <span class="required">*</span></span></p>
<p class="comment-form-comment"><label for="comment">Comment <span class="required">*</span></label><textarea id="comment" name="comment" cols="45" rows="8" maxlength="65525" required="required"></textarea></p>
<p class="comment-form-author"><label for="author">Name <span class="required">*</span></label> <input id="author" name="author" type="text" value="" size="30" maxlength="245" autocomplete="name" required="required"></p>
<p class="comment-form-email"><label for="email">Email <span class="required">*</span></label> <input id="email" name="email" type="text" value="" size="30" maxlength="100" aria-describedby="email-notes" autocomplete="email" required="required">
</p>
<p class="comment-form-url"><label for="url">Website</label> <input id="url" name="url" type="text" value="" size="30" maxlength="200" autocomplete="url"></p>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="submit" value="Post Comment"> <input type="hidden" name="comment_post_ID" value="378" id="comment_post_ID"><input type="hidden" name="comment_parent" id="comment_parent"
value="0"></p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="81f5c6d30d"></p>
<p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js" value="1702343588614">
<script>
document.getElementById("ak_js_1").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>Text Content
Search for:
Linux Audit
The Linux security blog about Auditing, Hardening, and Compliance
* Twitter
* RSS
Menu
* Home
* Linux Security
* Lynis
* About
2014-08-12 (last updated at February 12th, 2019) Michael BoelenHardening,
Software, Web 2 comments
CONFIGURE HSTS (HTTP STRICT TRANSPORT SECURITY) FOR APACHE AND NGINX
HSTS CONFIGURATION FOR APACHE AND NGINX
HTTP Strict Transport Security (or HSTS) is a security capability to force web
clients using HTTPS. The idea behind HSTS is that clients which always should
communicate as safely as possible. At achieve this, the web server and web
browser will prefer the HTTPS protocol instead of HTTP.
BENEFITS
The clear benefit of “forcing” a client to use HTTPS directly, is decreasing the
risk of sharing any sensitive information via a protocol which can be snooped
upon. Additionally it improves the performance by eliminating one redirect
response (301/302). Another benefit is to force using a secure connection and
deny a client if this can not be guaranteed (e.g. expired or self-signed
certificate).
HTTPS configured with HTST, HPKP and forward secrecy.
CONFIGURE HSTS ON APACHE
Load the headers and mod_rewrite module (just to be sure)
> # Load modules (or use the IfModule)
> LoadModule headers_module modules/mod_headers.so
>
> LoadModule rewrite_module modules/mod_rewrite.so
Rewrite HTTP connections and redirect them to HTTPS:
> # Redirect HTTP connections to HTTPS
>
> <IfModule mod_rewrite.c>
> RewriteEngine On
> RewriteCond %{HTTPS} off
> RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
> </IfModule>
Now configure the virtual host:
> <VirtualHost 192.168.1.1:443>
> Header always set Strict-Transport-Security “max-age=31536000;
> includeSubDomains”
> </VirtualHost>
CONFIGURE HSTS ON NGINX
To use HSTS on Nginx, use the add_header directive in the configuration. Then
tell clients to use HSTS with a specific age.
> add_header Strict-Transport-Security max-age=31536000;
Adjust the related virtual hosts to perform a redirect (301) to the secured
version of the website:
> server {
> listen 80;
>
> return 301 https://$server_name$request_uri;
> }
>
> server {
> listen 443;
>
> add_header Strict-Transport-Security max-age=31536000;
> }
IMPORTANT NOTES
The HSTS header should only be sent over a secured channel, therefore HTTP
responses should not include them.
max-age
Within the headers, the max-age defines what period the site is willing to
accept HTTPS-only (31536000 in the examples are 12 months). Usually, the amount
of time is less important. This is because the trend is to keep using HTTPS for
privacy and data protection anyways.
Top level domain (TLD)
Additionally, make sure the top level domain itself is also properly configured
for HSTS. This reduces attacks on the underlying subdomain names.
TECHNICAL DETAILS
RFC: RFC6797 (HTTP Strict Transport Security (HSTS))
MORE RESOURCES
See also the Wikipedia page on HTTP Strict Transport Security.
HISTORY
March 2015: Added screenshot
Feb 2017: Minor updates
* Facebook
* Twitter
* Buffer
* apache
* hsts
* nginx
One more thing...
Keep learning
So you are interested in Linux security? Join the Linux Security Expert training
program, a practical and lab-based training ground. For those who want to become
(or stay) a Linux security expert.
See training package
--------------------------------------------------------------------------------
Security scanning with Lynis and Lynis Enterprise
Run automated security scans and increase your defenses. Lynis is an open source
security tool to perform in-depth audits. It helps with system hardening,
vulnerability discovery, and compliance.
Download
POST NAVIGATION
« Check for a required reboot on Debian and Ubuntu systems
5 things you didn’t know about shell scripting »
CONTINUE READING
HOW THE WEB CHANGES WITH HTTP/2: PERFORMANCE AND SECURITY
DELETE A HSTS KEY PIN IN CHROME
OPTIMIZE SSL/TLS FOR MAXIMUM SECURITY AND SPEED
SECURING NGINX CONFIGURATIONS: IMPLEMENTING OCSP STAPLING
2 COMMENTS
* Anonymous
2016-05-01
5:03 AM
The header stanza for Apache uses typographical open and close quotes, rather
than the standard doublequote required by programming languages and
configuration files. Please consider switching the quotation marks to
“straight quotes”, to avoid creating problems for people who copy and paste.
Reply
* Michael Boelen
2016-05-06
2:11 PM
This is caused by WordPress, sorry about that.
Reply
LEAVE A REPLY CANCEL REPLY
Your email address will not be published. Required fields are marked *
Comment *
Name *
Email *
Website
Δ
This site uses Akismet to reduce spam. Learn how your comment data is processed.
ABOUT LINUX AUDIT
This blog is part of our mission: help individuals and companies, to scan and
secure their systems. We simply love Linux security, system hardening, and
questions regarding compliance.
Besides the blog, we have our security auditing tool Lynis. Open source, GPL,
and free to use.
Lynis project page
For those with enterprise needs, or want to audit multiple systems, there is an
Enterprise version.
"One security solution to audit, harden, and secure your Linux/UNIX systems."
Benefits:
* Perform audits within a few minutes
* Central management
* Powerful reporting
* Compliance checks (e.g. PCI DSS)
* Additional plugins and more tests
Learn More
Enjoy the articles!
LINUX AND UNIX SECURITY AUTOMATION
Lynis is a free and open source security scanner. It helps with testing the
defenses of your Linux, macOS, and Unix systems. Typical use-cases for this
software include system hardening, vulnerability scanning, and checking
compliance with security standards (PCI-DSS, ISO27001, etc).
Download
RECENT POSTS
* Major release: Lynis 3.x
* The 101 of ELF files on Linux: Understanding and Analysis
* How to promote your open source project
* OpenSSH security and hardening
* Livepatch: Linux kernel updates without rebooting
* How to secure a Linux system
CONTACT
This blog is part of our mission to share valuable tips about Linux security. We
are reachable via @linuxaudit
Company details
CISOfy
De Klok 28,
5251 DN, Vlijmen, The Netherlands
+31-20-2260055
Website: https://cisofy.com
* Twitter
* RSS
A Linux security blog about system auditing, server hardening, and compliance.