HTTP Strict Transport Security ( HSTS )

[ReN]

just curious if this might be something the directadmin gods would incorporate into there default config , or do you guys think its overkill.... discuss?

 

[Jan_E]

I am trying to add this on my Centos 6 servers, but cannot get it to work. Om my Windows servers it is like this:

LoadModule headers_module modules/mod_headers.so

And in the Virtualhost config:

	<IfModule headers_module>
		# Use HTTP Strict Transport Security to force client to use secure connections only
		Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
	</IfModule>

As far as I know mod_headers is enabled by default in Directadmin, so it should be enough to add this to the Virtualhost config:

		# Use HTTP Strict Transport Security to force client to use secure connections only
		Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

SSLlabs.com however tells me it is not enabled. Am I missing something? Can anyone share his config?

 

[Fred.]

For me it worked by just adding

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

to the custom httpd conf for that domain.
I went from A to A+ on SSLlabs