How To Enable HTTP Strict Transport Security in Apache on Ubuntu

So you have all heard of the new Heartbleed exploit in OpenSSL right? It's all the buzz at work since my company works with a lot of banks. All of the banking security people are contacting their vendors to make sure we are not vulnerable. if you haven't heard Heartbleed is:

...is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

So I checked all of our web servers using SSL Labs, and luckily none of our sites are vulnerable. However, since I did the checking I noticed that my Apache web servers, although they had A or A- ratings on SSL Labs, I could improve my SSL implementation and security by enabling HTTP Strict Transport Security (HSTS) which according to Wikipedia is:

...a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL[1]). HSTS is an IETF standards track protocol and is specified in RFC 6797.

The HSTS Policy[2] is communicated by the server to the user agent via a HTTP response header field named "Strict-Transport-Security". HSTS Policy specifies a period of time during which the user agent shall access the server in only secure fashion.

To implement it just do the following in Ubuntu:

• Run sudo a2enmod headers to enable headers
• Edit your ssl config in /etc/apache2/sites-enabled and add the following line under <VirtualHost *:443>:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

• Restart Apache by running sudo service apache2 restart

After doing that you can run a test against SSL Labs again and you will see that your rating has gone up! Here is a screen shot from my personal email server with an A+ rating!

 

Incidentally 3153600 is the equivalent of 12 months which should be good enough, however you can adjust that number however you want!

Related articles

• How to get an A+ on the Qualsys SSL Labs test
• How to Fix OpenSSL Heart Bleed Bug on Ubuntu
• EECI 2012 Conference Day Two
• HTTP Strict Transport Security