Enable headers module in Apace2;
a2enmod headers
In :80 host-entry;
In :443 host-entry;
Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
This means browsers *should* remember that for the next year (31536000 seconds) you’ll have your site accessible via HTTPS
Ref;
- https://www.globalsign.com/en/blog/what-is-hsts-and-how-do-i-use-it/
- https://itigloo.com/security/how-to-configure-http-strict-transport-security-hsts-on-apache-nginx/
Clickjacking
To prevent clickjacking, add in the following header as well;
Header always append X-Frame-Options "DENY"
Header always append Content-Security-Policy "frame-ancestors 'none';"
The 2nd line is to cater for older browsers whom don’t support the X-Frame-Options header
Ref;
- https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
- https://www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet
The resulting :443 conf file will contain;
Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" Header always append X-Frame-Options "DENY" Header always append Content-Security-Policy "frame-ancestors 'none';"