Enabling HTTP Strict Transport Security on debian servers
Posted by dkg on Thu 16 Dec 2010 at 10:48
I just enabled HTTP Strict Transport Security (HSTS) markers on a bunch of web servers that offer HTTPS.
It's an easy step to take, and it means that users of HSTS-compliant browsers (such as Chromium and the upcoming Firefox 4) or browsers with HSTS-compliant extensions (like Firefox's NoScript or HTTPS-Everywhere) will no longer be vulnerable to attacks like sslstrip once they have made one successful connection to the HSTS-enabled HTTPS web site.
It's not a perfect solution, but it is far better than the current situation. And it's easy to implement for websites that already use HTTPS.
For sites using apache, just enable mod_headers (on debian, that's:
a2enmod headers) and add the following line to your HTTPS vhost stanza:
Header add Strict-Transport-Security: "max-age=15768000"Depending on your setup, you may want to add the semicolon-delimited argument includeSubdomains, like this:
Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"(note that the number of seconds above is roughly 6 months -- this is the duration that compliant clients will retain the protection).
If you're using nginx, just add this line to your host configuration:
add_header Strict-Transport-Security max-age=15768000;See also Wikipedia's helpful page on HSTS for more examples.