Best IT Recipes

How to set HSTS header from .htaccess only on HTTPS

My web application runs on a different number of hosts that I control. To prevent the need to change the Apache configuration for each vhost, I add most of the configuration using the .htaccess files in my repo, so the basic setup of each host is just a few lines. It also allows you to change the configuration when you deploy the new version. Currently .htaccess (un) sets headers, rewrites magic and controls UA caching.

I want to include HSTS in an application using .htaccess. Just customizing the title is easy:

Header always set Strict-Transport-Security "max-age=31536000"

However, the specification clearly states: "The HSTS host MUST NOT include the STS header field in HTTP responses sent over insecure transport." Therefore, I do not want to send the header when sending over HTTP connections. See http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-14 .

I tried to set the header using the vars environment, but I was stuck there. Who knows how to do this?

+66
apache .htaccess mod-headers
Jun 10 '14 at 15:10
source share
5 answers

There seems to be an available HTTPS environment variable that can be easily used. For people with the same question:

 Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
+98
Jun 10 '14 at 15:31
source

To build the nielsr response, I used the following in .htaccess to follow the secure deployment guidelines at https://hstspreload.org, which hardcode the domain into the Chrome browser. Keep in mind that this will force the use of HSTS in all of your subdomains, and that preloading cannot be easily canceled, so rtfm.

 <IfModule mod_headers.c> Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS </IfModule>
+22
Sep 13 '16 at 2:54 on
source

For httpd.conf (if you have edit access), you can use

 <VirtualHost 65.81.122.43:443> Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" </VirtualHost>

NOTE. You need to install it only on the HTTPS host and cannot be on the http host.

When should I and should not use .htaccess files?

Allowing .htaccess files will force Apache to search for them every time it accesses your server. Since parent directories are also searched, this will take some (small) amount of time and may affect the performance of your server. Source

+3
Mar 17 '17 at 9:50
source

Another alternative is to always set the header and conditionally delete it for non-ssl connections:

 Header always set Strict-Transport-Security "max-age=31536000" early Header unset Strict-Transport-Security env=!HTTPS

This has the advantage that the Header directive can be used with both the env clause and the early flag. With the same Header directive, env and early cannot be used together, they are mutually exclusive (see the Official documentation: https://httpd.apache.org/docs/current/mod/mod_headers.html#header ).

0
Jan 15 '19 at 13:53
source

You can use this and put it in your htaccess file to match https://hstspreload.org . put this in your .htaccess file.

 RewriteCond %{HTTPS} !=on RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L] RewriteCond %{HTTP_HOST} !^www\. RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L,E=HTTPS:1] Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS

Firstly, it will redirect for non-https to https. and redirect not www https to www https with the HSTS header.

( http://example.comhttps://example.comhttps://www.example.com - with the HSTS header)

Tested and meets https://hstspreload.org

0
May 09 '19 at
source


More articles:


All Articles