How to Configure HTTP Strict Transport Security (HSTS) with Apache

xjxwbfso2f0 scaled
xjxwbfso2f0 scaled

This brief tutorial shows students and new users how to configure HTTP Strict Transport Security (HSTS) with Apache on Ubuntu Linux.

If you’re using HTTPS or going to be using it on your websites, then HSTS is something you might want to configure.

HTTP Strict Transport Security (HSTS) is a security policy that helps protect against downgrade attacks and cookies hijacking. When configured, your web server enforces strict HTTPS connection for web browsers and never via the insecure HTTP protocol.

To enhance connections to your Apache web server, ensure that HSTS is also enabled to help protect against a man-in-the-middle attack.

Since newer web browsers are all HSTS enabled, this should work across most systems. When a web browser contacts an HSTS-enabled server, the browser, by default, looks for a special HTTP header related to HSTS.

If the special header is enabled, the web server instructs the browser to only communicate over HTTPS. When the web browser receives the instruction from the header, the following connection after that will always be HTTPS and never HTTP.

This ensures that the connection between the web server and the web browser is protected.

How to enable the Apache headers module

To use HSTS with Apache, you’ll want to enable the Apache headers module. To do that, run the command below:

sudo a2enmod headers

How to enable HSTS with Apache

After enabling the headers module for Apache, look at the VirtualHost file for your website and add the line below.

The line should be placed between the <VirtualHost *:443> and </VirtualHost>

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

An example VirtualHost file with HSTS enabled should look similar to the one below.

<VirtualHost *:443>
       # The ServerName directive sets the request scheme, hostname and port
       # the server uses to identify itself. This is used when creating
       # redirection URLs. In the context of virtual hosts, the ServerName
       # specifies what hostname must appear in the request's Host: header to
       # match this virtual host. For the default virtual host (this file) this
       # value is not decisive as it is used as a last resort host regardless.
       # However, you must set it for any further virtual host explicitly.

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"


Because you enabled HTST in Apache, you’ll also want to redirect all connections over HTTPS. To do that, open the Apache default SSL configuration file.

The default SSL file on the Ubuntu system is at /etc/apache2/sites-enabled/000-default-ssl.conf

Redirect all traffic on HTTP to HTTPS. This is a must if you want HSTS to function correctly with Apache.

Open the Apache default SSL configuration file, add the code block in that config file and save.

sudo nano /etc/apache2/sites-enabled/000-default-ssl.conf

Add the highlighted lines and save.

<VirtulHost *:80>  
       RewriteEngine on
       RewriteCond %{SERVER_NAME} [OR]
       RewriteCond %{SERVER_NAME}
       RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]


Once you’re done, restart Apache.

sudo systemctl restart apache2

That should do it!


This post showed you how to enable HSTS with Apache in Ubuntu. Please use the comment form below if you find any errors above or have something to add.

Posted by
Richard W

I love computers; maybe way too much. What I learned I try to share at

1 Comment

  1. HTTP Strict Transport Security (HSTS) is an important setting that all HTTPS -only sites should use. After understanding the risks outlined in this page, and ensuring you set this up correctly there is no maintenance required for this security setting, so it’s a one off hit for a long term gain. As well as adding security, the reduction in the redirect improves performance, and finally also can help avoid mixed content alerts for resources accidentally served over HTTP on the same domain. We strongly recommend using, though the use of includeSubdomains and the preload list will take some more thought and may not be possible for all sites.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: