add HSTS to Apache

We mentioned before how did we switch to SSL since 2017.

I want to add here how to set HSTS to prevent a wellknown SSL attack called SSL-Strip.

• What is SSL Strip?

You can watch the full talk to understand in details how this works here.
Basically the attacker is somehow (we don’t care how) a MITM setting in between the victim and the authentic server.
The attacker in this case can do a downgrade attack on SSL and transfer all HTTPs connection to the normal plain text HTTP connections.
Now the attack can simply sniff all data being communicated between the victim and the server.
The attacker is also free now to change the data and execute other attacks such as injecting malware into the traffic.

• What is HSTS

HSTS or HTTP Strict Transport Security allows web servers to declare that web browsers (or web client) should only interact with it using secure HTTPS connections and never via the insecure HTTP protocol. This simple instruction defeats the SSL Strip attack.

• So, How to add HSTS to Apache

First, you will need to add a new mod called header.load, you can do this automatically using the following command:
a2enmod headers

Now go to the enabled sites configuration and edit your SSL virtualhost section
/etc/apache2/sites-enabled

Add this line
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"

Inside the block:
<VirtualHost _default_:443>
ServerName addaxsoft.com
ServerAdmin support@addaxsoft.com
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
[...]

now your browser will no longer browser to normal HTTP as soon as you browse to HTTPS for the first time!

//Stay secure 🙂