HTTP Strict Transport Security (HSTS) is a web security policy technique in which a web server specifies that compliant user agents (such as a web browser) must interact with it via secure (HTTPS) connections exclusively. The server communicates the HSTS Policy to the user agent using an HTTP response header field named “Strict-Transport-Security.” The HSTS Policy sets a time period during which the user agent must only visit the server in a secure manner.
Conformant user agents respond as follows when a web application issues HSTS Policy to them:
- Any insecure (HTTP) links referencing the web application are automatically converted to secure (HTTPS) links. (For example, before reaching the server, http://example.com/some/page/ will be changed to https://example.com/some/page/.)
- If the security of the connection cannot be guaranteed (for example, if the server’s TLS certificate is self-signed), user agents display an error message and deny the user access to the online application.
Configure your webserver so that HTTP queries are redirected to HTTPS.
For example, for Apache, you should make changes to the httpd.conf file. Please see the External References section for further settings.
# load module
LoadModule headers_module modules/mod_headers.so
# redirect all HTTP to HTTPS (optional)
<VirtualHost *:80>
ServerAlias *
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [redirect=301]
</VirtualHost>
# HTTPS-Host-Configuration
<VirtualHost *:443>
# Use HTTP Strict Transport Security to force client to use secure connections only
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
# Further Configuration goes here
[...]
</VirtualHost>
ZOFixer.com security scan helps to find this vulnerability in your software and server, you can easily use it by registering on our website and activating the 30-day trial.