HSTS on Apache

HTTP Strict Transport Security is a security measure for modern web sites. Not many years ago the internet used to be full of plain text HTTP. That is bad for security. Everyone between you and the server could read the content while you were surfing.

The Problem Scenario

We can imagine that you get free wifi at an air port or a cafe. You started surfing the web, maybe you logged in a site with username and password. Someone, such as the cafe owner, had set up a phising wifi access point which sends all the traffic directly to them before sending it out on the internet. Before you know it this party could read the username and password you just typed in. Your internet connection was unencrypted, and the owner of the internet read your passwords.

Unencrypted web traffic was solved years ago. Today every web site use https. The scenario I just detailed is not relevant any more. Web server adminstrators still serve the same site over http. Before you know it you, as the user, forget the “s” when you type “https://” in the addressbar. Boom! and you end up with an unencrypted site.

The Solution

So why does not web server administrators turn of (unencrypted) http?

The solution is quite simple. The web administrator install a header called Strict-Transport-Security on your web site. Often called just the hsts header. It tells modern browsers that regardless of what the user might do you should stick to the https version.

Setting it up on an old Mac

I have hsts configured on the this site. If you have read the previous posts you know that I am serving this site on mac pro with Apache installed via macports. (You can read up on Snow Leopard Web Server).

It is just a matter of sticking a new extra line into the virtual host section. I open terminal to do my editing.

I am using vim to do the editing.

sudo vim /opt/local/etc/apache2/extra/http-vhosts.conf

I find the relevant section and add the necessary line starting with Header always set

<VirtualHost *:443>
    ServerName oldmacblog.com
    Header always set Strict-Transport-Security "max-age=604800; includeSubDomains"

I restart my apache to make the change take effect

sudo apachectl -k restart

And then I test that my header is present with curl

curl -I https://oldmacblog.com
HTTP/1.1 200 OK
Date: Sat, 05 Aug 2023 21:37:09 GMT
Server: Apache/2.4.57 (Unix) OpenSSL/3.1.1 PHP/8.2.8
Strict-Transport-Security: max-age=604800;
Upgrade: h2
Connection: Upgrade
Last-Modified: Thu, 03 Aug 2023 05:39:57 GMT
ETag: "170b-601fe35d90540"
Accept-Ranges: bytes
Content-Length: 5899
Vary: Accept-Encoding
Content-Type: text/html

From this output you can find Strict-Transport-Security right in the middle.

And that is it! Now I have HSTS on my site.

To learn more about hsts, and all the varations, see Strict-Transport-Security from MDN.