[Updated in February 2016]

Setting up HTTP Strict Transport Security (HSTS)

You can specify HTTP Strict Transport Security (HSTS) in response headers so that your server advertises to clients that it accepts only HTTPS requests. You can redirect any non-HTTPS requests to SSL enabled virtual hosts.

Before you begin

Procedure

  1. Enable the modification of response headers.
    Uncomment the following Load Module directive for the mod_headers module in the httpd.conf file:
    LoadModule headers_module modules/mod_headers.so
  2. Define the HSTS policy for clients.

    Make the following updates in the httpd.conf file:

    1. Code the Header directive.
      The following example Header specifies useful options for defining your HSTS policy. The directive specifies that the server always requires HTTPS connections. The HTTPS connections apply to both the domain and any subdomain. A client can keep the domain in its preinstalled list of HSTS domains for a maximum of one year (31536000 seconds).
      Header always set Strict-Transport-Security "max-age=31536000;
            includeSubDomains; preload"
    2. Add the Header directive to each virtual host section, <virtualhost>, that is enabled for Secure Sockets Layer (SSL).
  3. Redirect requests from virtual hosts that are not enabled for SSL to virtual hosts that are enabled.
    RewriteEngine on 
    RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [R,L]
    • Add the stanza once to each virtual host section in the httpd.conf file.
    • Add the stanza once to the global httpd.conf file, but outside the virtual host sections.

Results

You set up IBM® HTTP Server so that it tells clients to connect to the specified domains and subdomains only over HTTPS. To ensure that your IBM HTTP Server does not process non-HTTPS requests over non-SSL, you set the server up to redirect these requests to SSL-enabled virtual hosts.

What to do next

Add your server as a front end to your application server environment so that connections between your application server and a client are over HTTPS.
Task topic    

Terms and conditions for product documentation | Feedback

Last updated: January 28, 2018 08:56 PM GMT-06:00
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=ihs-dist&topic=tihs_hsts
File name: tihs_hsts.html


[Updated in February 2016]