Configure HSTS (HTTP Strict Transport Security) for Apache/Nginx

Configure HSTS (HTTP Strict Transport Security) for Apache/Nginx

HTTP Strict Transport Security, or HSTS is a security capability to force web clients use HTTPS. The idea behind HSTS is that clients which always should communicate safely, to directly use HTTPS instead of HTTP.


The clear benefit of “forcing” a client to use HTTPS directly, is decreasing the risk of sharing any sensitive information via a protocol which can be snooped upon. Additionally it improves the performance by eliminating one redirect response (301/302). Another benefit is to force using a secure connection and deny a client if this can not be guaranteed (e.g. expired or self-signed certificate).

Screenshot of HTTPS with HTST, HPKP and forward secrecy

HTTPS configured with HTST, HPKP and forward secrecy.

Configure HSTS on Apache

Load the headers and mod_rewrite module (just to be sure)

# Load modules (or use the IfModule)
LoadModule headers_module modules/


LoadModule rewrite_module modules/

Rewrite HTTP connections and redirect them to HTTPS:

# Redirect HTTP connections to HTTPS


<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Now configure the virtual host:

# Adjust the virtual hosts

to use HTTP Strict Transport Security (HTST)

Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains”

Configure HSTS on Nginx

First add a header, to tell clients to use HSTS:

add_header Strict-Transport-Security max-age=31536000;

Adjust the related virtual hosts to perform a redirect (301) to the secured version of the website:

server {
  listen 80;
  return 301 https://$server_name$request_uri;
server {
  listen 443;
  add_header Strict-Transport-Security max-age=31536000;

Important notes

The HSTS header should only be sent over a secured channel, therefore HTTP responses should not include them.


Within the headers the max-age defines what period the site is willing to accept HTTPS-only (31536000 in the examples are 12 months). Usually the amount of time is less important, as the trend is to keep using HTTPS for privacy and data protection anyways.

Top level domain (TLD)

Additionally, make sure the top level domain itself is also properly configured for HSTS. This reduces attacks on the underlying sub domain names.

Technical details

RFC: RFC6797 (HTTP Strict Transport Security (HSTS))

More resources

See also the Wikipedia page on HTTP Strict Transport Security.


March 2015: Added screenshot

Lynis Enterprise

Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series and the mission to get Linux and Unix-based systems more secure.

Does system hardening take a lot of time, or do you have any compliance in your company? Have a look at Lynis Enterprise.

Or start today with the open source security scanner Lynis (GitHub)


  • AnonymousAnonymous

    The header stanza for Apache uses typographical open and close quotes, rather than the standard doublequote required by programming languages and configuration files. Please consider switching the quotation marks to “straight quotes”, to avoid creating problems for people who copy and paste.


Leave a Reply

Your email address will not be published. Required fields are marked *