How to enable HSTS on a web server
Intended for:
This article is intended for those that use IIS or Apache httpd web server.
Scenario/Use case:
What is the user trying to do?
Enable a HSTS Header on an IIS or Apache httpd web server.
Instructions:
NOTE: DO NOT add "includeSubDomains" or "preload" to the header. Only enter the header as shown in the instructions below.
IIS - Configuring HTTP Strict Transport Security
The setting can be configured at web server level or web site level.
- Open the Internet Information Services (IIS) Manager via Start → Administrative Tools → IIS Manager.
- Expand the IIS server or sites, in the Features View, click “HTTP Response Headers”.
- In the Actions panel, click Add.
Name: Strict-Transport-Security
Values: “max-age=3600” (For test/development server)
“max-age=31536000” (For production server) - Close the IIS Manager after confirmation.
- Run iisreset command or reboot the server.
Redirecting HTTP requests to the HTTPS
Method 1:
Open the Internet Information Services (IIS) Manager via Start → Administrative Tools → IIS Manager.
- Click on HTTP Redirect.
- Check the Redirect box and enter the target URL (HTTPS). Set the status to permanent redirect (301).
Method 2:
Add URL rewrite module to the server and “Add Rule(s)”.
Once the SSL certificate is installed, your site still remains accessible via a regular insecure HTTP connection. To connect securely, visitors must specify the "https://" prefix manually when entering your site’s address in their browsers.
To force a secure connection on your website, it is necessary to set up a certain HTTP/HTTPS redirection rule. This way, anyone who enters your site using a link like “yourdomain.com” will be redirected to “https://yourdomain.com” or “https://www.yourdomain.com” (depending on your choice) making the traffic encrypted between the server and the client side.
Below are steps to setup a IIS HTTPS redirect:
- Download and install the URL Rewrite module.
- Open the IIS Manager console and select the server or website you would like to apply the redirection to in the left-side menu, Double-click on the URL Rewrite icon.
- Click Add Rule(s) in the right-side menu.
- Select Blank Rule in the "Inbound section", then press OK.
- Enter any rule name you wish.
- In the Match URL section:
- Select Matches the Pattern in the Requested URL drop-down menu.
- Select Regular Expressions in the Using drop-down menu.
- Enter the following pattern in the Match URL section: (.*)
- Check the Ignore case box.
- In the Conditions section, select Match all under the Logical Grouping drop-down menu and press Add.
- In the prompted window:
- Enter {HTTPS} as a condition input.
- Select Matches the Pattern from the drop-down menu.
- Enter ^OFF$ as a pattern.
- Press OK.
- In the Action section, select Redirect as the action type and specify the following for Redirect URL:
https://{HTTP_HOST}{REQUEST_URI}
- Un-check the Append query string box.
- Select the Redirection Type of your choice. The whole Action section should look like this:
If you have a website on your server that MUST run unencrypted on HTTP (Port 80 usually) and MUST be seen on the open Internet, contact Fermilab Computer Security to discuss options. You may be required to move your web server behind the VPN for access.
For web servers that must run one or more sites over HTTP, all steps below go into each individual VirtualHost:443 entry. DO NOT do this in the VirtualHost:80 section of the website will break.
If you already have a redirect in place sending HTTP traffic (port 80 typically) to HTTPS (port 443 typically) then skip Step 1 and go straight to Step 2.
- Redirect all HTTP traffic to HTTPS
- On a per-VirtualHost basis, insert the following after the ServerName entry:
# No longer using HTTP 80, HTTPS only.
RewriteEngine On
RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [R=301,L] - Restart your Apache httpd process and confirm that everything is working as expected.
- On a per-VirtualHost basis, insert the following after the ServerName entry:
- Serve an HSTS header
- Five Minute Test Phase
- Insert the following line into each VirtualHost:443 entry:
Header always set Strict-Transport-Security "max-age=300" - Restart your web server. Visit your website with your browser to confirm it is running.
- From a command prompt, run the following to confirm that the HSTS header is being served:
$ curl -s -D- https://YOUR-WEBSITE-URL-HERE/ | grep Strict
You should see the following returned:
Strict-Transport-Security: max-age=300
- Insert the following line into each VirtualHost:443 entry:
- Production Phase
- Go back into each Header entry and change the time from 300 to 31536000.
- Restart your web server. Visit your website with your browser to confirm it is running.
- From a command prompt, run the following to confirm that the HSTS header is being served:
$ curl -s -D- https://YOUR-WEBSITE-URL-HERE/ | grep Strict
You should see the following returned:
Strict-Transport-Security: max-age=31536000
- Five Minute Test Phase
You are done.