HSTS – HTTP Strict Transport Security

Enable headers module in Apace2;

a2enmod headers

In :80 host-entry;

 

In :443 host-entry;

Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"

This means browsers *should* remember that for the next year (31536000 seconds) you’ll have your site accessible via HTTPS

Ref;

  • https://www.globalsign.com/en/blog/what-is-hsts-and-how-do-i-use-it/
  • https://itigloo.com/security/how-to-configure-http-strict-transport-security-hsts-on-apache-nginx/

Clickjacking

To prevent clickjacking, add in the following header as well;

Header always append X-Frame-Options "DENY"
Header always append Content-Security-Policy "frame-ancestors 'none';"

The 2nd line is to cater for older browsers whom don’t support the X-Frame-Options header

Ref;

  • https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
  • https://www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet

The resulting :443 conf file will contain;

Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
Header always append X-Frame-Options "DENY"
Header always append Content-Security-Policy "frame-ancestors 'none';"

Leave a Reply