HTTP Strict Transport Security (HSTS) is for a web server to inform the client browser it will not connect using HTTP. HSTS will automatically convert all attempts to access using HTTP to HTTPS requests instead. This is one of the most misunderstood subjects for some reason. You would think every government institution, bank, credit card, insurance or healthcare company would want this enabled by default, right? Most do not!
The clients HTTP request will be responded with an HTTPS encrypted response. An HTTPS acknowledgement over HTTP! Yes! That is bad right? No! You want this! You are redirecting and altering the clients HTTP request, to an encrypted request over HTTPS. Technically, you made the secure request before the client made a non-secure connection. This is the only "secure" information over the redirected HTTP response packet (the ack response to the client syn request) you are sharing with the connecting clients. The HTTP request contains nothing in the packets other than a rerout response to HTTPS. This is our preference and lowers your risk profile for attack vectors. Truly, turning off HTTP is the best, but the standards have not been updated to address this issue.
Not adding HSTS is serious mistake! Any major application/browser works with it and we do not recommend making headers a global configuration, but rather add the headers in each Web site config file. Any enterprise internal environment should have this globally. You must always be in control of the clients, the clients should never have control under their terms.
The following are the recommended headers to ensure every client never connects to the application/site unless it is secure and remains connected securely. To have the HTTP request rejected and respond with an HTTPS connection instead, it requires preloading to be enabled. ***Add (preload) to the configuration once you submit your site here!
If there is a fatfinger or something not quite setup correctly, your site will be unavailable. If this happens, turn off HSTS and troubleshoot the issue. As always, test and restest in a sandbox prior to going live.
nano /etc/apache2/sites-available/EXAMPLE_com.conf
<VirtualHost *:80>
ServerName EXAMPLE.com
ServerAlias www.EXAMPLE.com
Redirect permanent / https://EXAMPLE.com/ <--Will send everyone to our default site https://www.EXAMPLE.com
OR
Redirect permanent / https://EXAMPLE.com <--Requesting http://www.EXAMPLE.com/page - will be sent to https://www.EXAMPLE.com/page
RewriteEngine On
RewriteRule ^(.*)$ https://EXAMPLE.com/$1 [L,R=301]
DocumentRoot /var/www/html/EXAMPLE
DirectoryIndex index.html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
systemctl restart apache2
nano /etc/apache2/sites-available/EXAMPLE_com_ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
..............................
<IfModule mod_headers.c>
Header unset ETag
FileETag None
Header unset Server
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Header set X-Content-Security-Policy "allow 'self';"
Header set X-Frame-Options DENY
Header set Cache-Control:public, max-age=31536000
Header set MyHeader "Feel safe zombiesecured headers in use!!! It took %D microseconds for Zombiesecured to serve this request on %t"
Header always set Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload"
</IfModule>
</VirtualHost>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
systemctl restart apache2