This site requires JavaScript to be enabled

How to enable HSTS on a web server

100 views

4.0 - Updated on 2021-02-12 by Carlos Salazar (Inactive)

3.0 - Updated on 2020-08-17 by Peter Rzeminski

2.0 - Updated on 2020-08-10 by Peter Rzeminski

1.0 - Authored on 2020-08-05 by Peter Rzeminski

How to enable HSTS on a web server

 

Intended for:

This article is intended for those that use IIS or Apache httpd web server.

 

Scenario/Use case:

What is the user trying to do?

Enable a HSTS Header on an IIS or Apache httpd web server.

 

Instructions:

NOTE: DO NOT add "includeSubDomains" or "preload" to the header. Only enter the header as shown in the instructions below.

IIS Instructions

Apache httpd Instructions

 

IIS - Configuring HTTP Strict Transport Security

The setting can be configured at web server level or web site level.

  1. Open the Internet Information Services (IIS) Manager via Start → Administrative Tools → IIS Manager.
  2. Expand the IIS server or sites, in the Features View, click “HTTP Response Headers”.



  1. In the Actions panel, click Add.

    Name: Strict-Transport-Security
    Values: “max-age=3600” (For test/development server)
                “max-age=31536000” (For production server)

  2. Close the IIS Manager after confirmation.
  3. Run iisreset command or reboot the server.

 

Redirecting HTTP requests to the HTTPS

Method 1:

Open the Internet Information Services (IIS) Manager via Start → Administrative Tools → IIS Manager.

  1. Click on HTTP Redirect.
  2. Check the Redirect box and enter the target URL (HTTPS). Set the status to permanent redirect (301).

 

Method 2:

Add URL rewrite module to the server and “Add Rule(s)”.

Once the SSL certificate is installed, your site still remains accessible via a regular insecure HTTP connection. To connect securely, visitors must specify the "https://" prefix manually when entering your site’s address in their browsers.

To force a secure connection on your website, it is necessary to set up a certain HTTP/HTTPS redirection rule. This way, anyone who enters your site using a link like “yourdomain.com” will be redirected to “https://yourdomain.com” or “https://www.yourdomain.com” (depending on your choice) making the traffic encrypted between the server and the client side.

Below are steps to setup a IIS HTTPS redirect:

  1. Download and install the URL Rewrite module.
  2. Open the IIS Manager console and select the server or website you would like to apply the redirection to in the left-side menu, Double-click on the URL Rewrite icon.



  1. Click Add Rule(s) in the right-side menu.
  2. Select Blank Rule in the "Inbound section", then press OK.

 

  1. Enter any rule name you wish.
  2. In the Match URL section:
    1. Select Matches the Pattern in the Requested URL drop-down menu.
    2. Select Regular Expressions in the Using drop-down menu.
    3. Enter the following pattern in the Match URL section: (.*)
    4. Check the Ignore case box.

iisred3

  1. In the Conditions section, select Match all under the Logical Grouping drop-down menu and press Add.
  2. In the prompted window:
    1. Enter {HTTPS} as a condition input.
    2. Select Matches the Pattern from the drop-down menu.
    3. Enter ^OFF$ as a pattern.
    4. Press OK.

iisred4

  1. In the Action section, select Redirect as the action type and specify the following for Redirect URL:

             https://{HTTP_HOST}{REQUEST_URI}

  1. Un-check the Append query string box.
  2. Select the Redirection Type of your choice. The whole Action section should look like this:

iisredirect5

Apache httpd Instructions

If you have a website on your server that MUST run unencrypted on HTTP (Port 80 usually) and MUST be seen on the open Internet, contact Fermilab Computer Security to discuss options. You may be required to move your web server behind the VPN for access.

For web servers that must run one or more sites over HTTP, all steps below go into each individual VirtualHost:443 entry. DO NOT do this in the VirtualHost:80 section of the website will break.

If you already have a redirect in place sending HTTP traffic (port 80 typically) to HTTPS (port 443 typically) then skip Step 1 and go straight to Step 2.

  1. Redirect all HTTP traffic to HTTPS
    1. On a per-VirtualHost basis, insert the following after the ServerName entry:

      # No longer using HTTP 80, HTTPS only.
      RewriteEngine On
      RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [R=301,L]

    2. Restart your Apache httpd process and confirm that everything is working as expected.

  2. Serve an HSTS header
    1. Five Minute Test Phase
      1. Insert the following line into each VirtualHost:443 entry:

        Header always set Strict-Transport-Security "max-age=300"

      2. Restart your web server. Visit your website with your browser to confirm it is running.
      3. From a command prompt, run the following to confirm that the HSTS header is being served:

        $ curl -s -D- https://YOUR-WEBSITE-URL-HERE/ | grep Strict

        You should see the following returned:

        Strict-Transport-Security: max-age=300

    2. Production Phase
      1. Go back into each Header entry and change the time from 300 to 31536000.
      2. Restart your web server. Visit your website with your browser to confirm it is running.
      3. From a command prompt, run the following to confirm that the HSTS header is being served:

        $ curl -s -D- https://YOUR-WEBSITE-URL-HERE/ | grep Strict

        You should see the following returned:

        Strict-Transport-Security: max-age=31536000

You are done.

 

Attachments Pasted image.pngPasted image.pngPasted image.pngPasted image.pngPasted image.pngPasted image.png
Revised by Carlos Salazar (Inactive)
Last modified 2021-02-12 17:12:39