logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Problem implementing Strict-Transport-Security
Author
Haldrik



Joined: 28 Aug 2017
Posts: 1
Location: USA, Asheville

PostPosted: Tue 29 Aug '17 17:30    Post subject: Problem implementing Strict-Transport-Security Reply with quote

Hello everyone!
New to forum, first post. I'm having a problem implementing Strict-Transport-Security on a server running Apache 2.4.10, PHP7.1.8 (Ubuntu 14.04).
I've read every related post on this forum, and I actually have it working fine on a different server (2.4.18 with Ubuntu 16.04), but nothing I do is working. I know this because Mozilla's "Observatory" report for this site is saying that "HTTP Strict Transport Security (HSTS) header cannot be recognized."
My /etc/apache2/sites-available/default.conf.le-ssl.conf contains this:
Code:

<IfModule mod_ssl.c>
<VirtualHost *:443>
...
Include /etc/letsencrypt/options-ssl-apache.conf
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
</VirtualHost>
</IfModule>

I also added this line to my /etc/apache2/apache2.conf file:
Code:
Header set Strict-Transport-Security "max-age-31536000; includeSubDomains; preload"
Other headers set in the apache2.conf file (X-Content-Ype-Options, for example) are working fine. SSL works fine on the site. In fact, the site works fine, but I'm distressed that the Observatory score is low because of this one factor.
Thanks for any tips to get this working!
Back to top
Jan-E



Joined: 09 Mar 2012
Posts: 1248
Location: Amsterdam, NL, EU

PostPosted: Mon 04 Sep '17 9:14    Post subject: Re: Problem implementing Strict-Transport-Security Reply with quote

Haldrik wrote:
I also added this line to my /etc/apache2/apache2.conf file:
Code:
Header set Strict-Transport-Security "max-age-31536000; includeSubDomains; preload"

There is a typo here: max-age-31536000 should be max-age=31536000.
Back to top


Reply to topic   Topic: Problem implementing Strict-Transport-Security View previous topic :: View next topic
Post new topic   Forum Index -> Apache