Implementing HSTS Across Web Servers
Implementing HSTS Across Web Servers
Apache Configuration
# Enable mod_headers
a2enmod headers
# Global HSTS configuration
<IfModule mod_headers.c>
# Only set HSTS on HTTPS connections
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS
</IfModule>
# Virtual host configuration
<VirtualHost *:443>
ServerName example.com
# HSTS with preload
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# Other SSL configurations
SSLEngine on
SSLCertificateFile /path/to/cert.pem
SSLCertificateKeyFile /path/to/key.pem
</VirtualHost>
# Redirect HTTP to HTTPS
<VirtualHost *:80>
ServerName example.com
Redirect permanent / https://example.com/
</VirtualHost>
Nginx Configuration
# HTTPS server block
server {
listen 443 ssl http2;
server_name example.com;
# HSTS configuration
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# SSL configuration
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
}
# HTTP to HTTPS redirect
server {
listen 80;
server_name example.com;
return 301 https://$server_name$request_uri;
}
# Subdomain wildcards with HSTS
server {
listen 443 ssl http2;
server_name *.example.com;
# HSTS without preload for subdomains
add_header Strict-Transport-Security "max-age=31536000" always;
}
IIS Configuration
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Strict-Transport-Security"
value="max-age=31536000; includeSubDomains; preload" />
</customHeaders>
</httpProtocol>
<!-- URL Rewrite for HTTP to HTTPS -->
<rewrite>
<rules>
<rule name="Redirect to HTTPS" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect"
url="https://{HTTP_HOST}/{R:0}"
redirectType="Permanent" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>