How To: Enable HSTS on Vhosts and Over 2443
===========================================

HTTP Strict Transport Security (HSTS) is a standard that ensures browsers always connect 
to a website over HTTPS. 

Detailed information on HSTS can be found here: `https://https.cio.gov/hsts/ <https://https.cio.gov/hsts/>`__.

Information on how to check if HSTS is enabled can be found here: `https://www.namecheap.com/support/knowledgebase/article.aspx/9711/38/how-to-check-if-hsts-is-enabled/ <https://www.namecheap.com/support/knowledgebase/article.aspx/9711/38/how-to-check-if-hsts-is-enabled/>`__. 

.. contents::

To Add HSTS to a Single Domain 
------------------------------

#. Log in to the server at the CLI as root, either via SSH or from the terminal
#. At the CLI, navigate to ``/home/{unixuser}/var/{domain.com}/apache``, replacing 
   ``{unixuser}`` and ``{domain.com}`` with the corresponding information

   .. code-block::

      cd /home/{unixuser}/var/{domain.com}/apache

#. Using a text editor, create a file called ``secure.conf``. The following example
   uses the Vim text editor

   .. code-block::

      vim secure.conf

#. Add the following line:

   .. code-block::

      Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"

#. Save the file, and exit the text editor
#. Restart Apache
  
   .. code-block::

      systemctl restart httpd

To Add HSTS to All Vhosts
-------------------------
 
#. Log in to the server at the CLI as root, either via SSH or from the terminal
#. At the CLI, run the following to edit the vhost template--this will 
   prevent the changes from being overwritten upon update: 

   .. code-block::

      ~iworx/bin/config.pex --customize-template http/vhost/single-vhost.tpl --for-global

2. Edit the ``if $IS_SSL`` section to add the following:

   .. code-block::

      {if $IS_SSL}
      Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
      {$Config->include('http/vhost/ssl')}
      {/if}

3. Save the file and exit the text editor

4. Re-write the vhosts using the following command: 

   .. note::
       
      It is recommended to back up all vhosts prior to running this command.

   .. code-block:: 
   
      ~iworx/bin/httpd.pex --write-vhosts-all

5. Check for syntax errors 

   .. code-block::

      httpd -t

6. Restart Apache

   .. code-block::

      systemctl restart httpd 

To Add HSTS Over Port 2443
--------------------------

#. Log in to the server at the CLI as root, either via SSH or from the terminal
#. At the CLI, use a text editor to open ``/home/interworx/etc/httpd/httpd-custom.conf``. 
   The following example uses the Vim text editor

   .. code-block::

      vim /home/interworx/etc/httpd/httpd-custom.conf

#. At line 85, add the following:

   .. code-block::

      Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

   The section will then look similar to the following:

   .. code-block::
    
      <IfDefine SSL>
      Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
      AddType application/x-x509-ca-cert .crt
      AddType application/x-pkcs7-crl    .crl

#. Restart InterWorx

   .. code-block::

      systemctl restart iworx