Setting up HTTP Strict Transport Security (HSTS)

You can specify HTTP Strict Transport Security (HSTS) in response headers so that your server advertises to clients that it accepts only HTTPS requests. You can redirect any non-HTTPS requests to SSL enabled virtual hosts.

Before you begin

  • If SSL/TLS is terminated by a device ahead of IBM HTTP Server, and if IBM HTTP Server is not configured for SSL/TLS, the following procedure does not apply. Instead, you must configure HTTP Strict Transport Security on the device that terminated SSL/TLS. For more information about HTTP Strict Transport Security configuration, see RFC 6797 section 7.
  • Determine whether your HSTS policy applies to only the domain or includes subdomains.
  • Determine whether the domain can be part of the preinstalled list of known HSTS hosts in a client.
  • Determine how long the client can cache the information that indicates that the domain is an HSTS host.
  • Restriction: The server does not add the HSTS headers to HTTP 304 (not modified) responses. These responses are used to validate cache freshness. A client will not see the HSTS headers until it accesses at least one uncached (or stale) resource on the server.
  • HSTS works only if the client is connecting to the default ports for HTTP (port 80) and HTTPS (port 443). If you are using non-default ports in your IBM HTTP Server configuration, you need to use an additional front-end device that does use the default ports. Place the additional front-end device between your IBM HTTP Server and the client. For example:
    client ----> load balancer (ports 80 and 443) ----> IHS (other ports) 

Procedure

  1. Enable the modification of response headers.
    Uncomment the following Load Module directive for the mod_headers module in the httpd.conf file:
    LoadModule headers_module modules/mod_headers.so
  2. Define the HSTS policy for clients.

    Make the following updates in the httpd.conf file:

    1. Add the Header directive for Strict-Transport-Security.
      The following example Header specifies useful options for defining your HSTS policy. The directive specifies that the server always requires HTTPS connections. The HTTPS connections apply to both the domain and any subdomain. A client can keep the domain in its preinstalled list of HSTS domains for a maximum of one year (31536000 seconds).
      Header always set Strict-Transport-Security "max-age=31536000;
            includeSubDomains; preload"
    2. Add the Header directive to each virtual host section, <virtualhost>, that is enabled for Secure Sockets Layer (SSL).
  3. Redirect requests from virtual hosts that are NOT enabled for SSL to virtual hosts that are enabled.
    RewriteEngine on 
    RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [R,L]
    • Add the stanza once to each non-SSL virtual host section in the httpd.conf file.
    • Add the stanza once to the global httpd.conf file, but outside the virtual host sections.

Results

You set up IBM® HTTP Server so that it tells clients to connect to the specified domains and subdomains only over HTTPS. To ensure that your IBM HTTP Server does not process non-HTTPS requests over non-SSL, you set the server up to redirect these requests to SSL-enabled virtual hosts.

What to do next

Add your server as a front end to your application server environment so that connections between your application server and a client are over HTTPS.