How To: Enable HSTS on Vhosts and Over 2443

HTTP Strict Transport Security (HSTS) is a standard that ensures browsers always connect to a website over HTTPS.

Detailed information on HSTS can be found here: https://https.cio.gov/hsts/.

Information on how to check if HSTS is enabled can be found here: https://www.namecheap.com/support/knowledgebase/article.aspx/9711/38/how-to-check-if-hsts-is-enabled/.

Contents

• How To: Enable HSTS on Vhosts and Over 2443

  • To Add HSTS to a Single Domain

  • To Add HSTS to All Vhosts

  • To Add HSTS Over Port 2443

To Add HSTS to a Single Domain

1. Log in to the server at the CLI as root, either via SSH or from the terminal

2. At the CLI, navigate to /home/{unixuser}/var/{domain.com}/apache, replacing {unixuser} and {domain.com} with the corresponding information

   cd /home/{unixuser}/var/{domain.com}/apache
   

3. Using a text editor, create a file called secure.conf. The following example uses the Vim text editor

   vim secure.conf
   

4. Add the following line:

   Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
   

5. Save the file, and exit the text editor

6. Restart Apache

   systemctl restart httpd
   

To Add HSTS to All Vhosts

1. Log in to the server at the CLI as root, either via SSH or from the terminal

2. At the CLI, run the following to edit the vhost template–this will prevent the changes from being overwritten upon update:

   ~iworx/bin/config.pex --customize-template http/vhost/single-vhost.tpl --for-global
   

2. Edit the if $IS_SSL section to add the following:

   {if $IS_SSL}
   Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
   {$Config->include('http/vhost/ssl')}
   {/if}
   

3. Save the file and exit the text editor

4. Re-write the vhosts using the following command:

   Note

   It is recommended to back up all vhosts prior to running this command.

   ~iworx/bin/httpd.pex --write-vhosts-all
   

5. Check for syntax errors

   httpd -t
   

6. Restart Apache

   systemctl restart httpd
   

To Add HSTS Over Port 2443

1. Log in to the server at the CLI as root, either via SSH or from the terminal

2. At the CLI, use a text editor to open /home/interworx/etc/httpd/httpd-custom.conf. The following example uses the Vim text editor

   vim /home/interworx/etc/httpd/httpd-custom.conf
   

3. At line 85, add the following:

   Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
   

   The section will then look similar to the following:

   <IfDefine SSL>
   Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
   AddType application/x-x509-ca-cert .crt
   AddType application/x-pkcs7-crl    .crl
   

4. Restart InterWorx

   systemctl restart iworx