HSTS Compliance

GeoffatMM · April 13, 2020, 7:11pm

Hope this is the right forum.

I am trying to ensure my server meets all security requirements and have found different guides on achieving HSTS compliance but some of them are quite dated. Tried one and it did not work (crashed apache) so before I launch into trying them all, is there a definitive up to date set of instructions I should follow please?

Ta,

Geoff

DrCarsonBeckett · April 14, 2020, 9:36am

Either you do it via .htaccess for the domain(s) in need or do it directly at the apache2 itself.

Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"

You need to decide if you want to enable it for subdomains too or not. By default with that code its enabled.
Either place that in a .htaccess file and upload it or place it at the apache2 config file and restart the service.

GeoffatMM · April 14, 2020, 5:10pm

Carson

When I add this to the global config file for apache, it will not restart and tells me that the command header is not recognised. So I must be putting it in the wrong place. I also tried it in the sites-available directory for the server but that also did not work.

I added it to the .htacces file but that also does not appear to work.

https://hstspreload.org/?domain=xorex.rocks still reports an error.

GeoffatMM · April 14, 2020, 5:11pm

Is this tutorial still valid?

https://www.virtualmin.com/node/52164

If so I will try it. Do not want to risk it if it is out of date with current systems.

GeoffatMM · April 15, 2020, 5:50am

Actually, adding it to the .htaccess file did do something as it gave a 500 error for the main webpage for the site. I was still able to access webmin though. Commented out this line and the site is fine again. I put it in as the first line before the rewrite engine on lines. Tried it after these lines and got the same result.

GeoffatMM · April 15, 2020, 5:52am

Joe, not sure if you will read this but the tutorial I mentioned above looks easier to follow in the old forum that in the new. The style sheets do not highlight the items to enter in the same way. I assume these were transferred automatically? Can the style sheets be adjusted to improve the readability?

Geoff

GeoffatMM · April 15, 2020, 6:07am

Reading more info on HSTS the line inserted in the .htaccess file is probably working but there is more configuration needed (as in the tutorial) for the apache server to act on it.

I will follow the tutorial and report back.

Ilia · April 15, 2020, 1:16pm

Have a redirect set from http to https, and make sure to have installed/enabled mod_headers, while under Apache configuration set the following (just an example of what I personally have been using for last years on my production server):

<IfModule mod_headers.c>
	# The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should 
	# be allowed to render a page in a <frame>, <iframe> or <object>. Sites can use this to avoid 
	# clickjacking attacks, by ensuring that their content is not embedded into other sites.
	# There are three possible values for X-Frame-Options: DENY|SAMEORIGIN|ALLOW-FROM uri
  	Header always set X-Frame-Options DENY

  	Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
  	Header always set X-Content-Type-Options nosniff
  	Header set X-XSS-Protection "1; mode=block"
</IfModule>

DrCarsonBeckett · April 16, 2020, 3:52pm

@GeoffatMM
Do read @Ilia his post. I totally forgot to mention the most important part for the configuration.
My bad!

Didier_Misson · April 16, 2020, 11:29pm

Hello.
Don’t use hstsprelaod as a test.
Use it only at the END when you are sure all is ok.

Better to use the great site of Scott Helme

Only when all seem correct, you can add the “preload” parameter and go for hstspreload.

in https://securityheaders.com/ … don’t be afraid with some red warning.
Myself, I not yet managed with “content security policy” … it’s difficult and if some error, you can block your site.

For HSTS
https://scotthelme.co.uk/hsts-the-missing-link-in-tls/

Didier_Misson · April 16, 2020, 11:38pm

This can be a option to include HSTS to ALL sites managed by your server.
But perhaps it will be “remove” if you upgrade Apache and headers module ?

If you want to include this with a “site by site” configuration, you can put these headers in the Apache Virtual Host (so each site can have a different settings).

example
Header set Feature-Policy: “vibrate ‘self’; sync-xhr ‘self’; midi ‘none’; accelerometer ‘none’; camera ‘none’; geolocation ‘none’; gyroscope ‘none’; magnetometer ‘none’; microphone ‘none’; payment ‘none’; usb ‘none’”
Header set Referrer-Policy: “strict-origin-when-cross-origin”

Same for the HSTS header.

Include the headers in the .htaccess is probably not the best idea.
If you use a CMS, some time .htaccess is replace when you will upgrade your CMS, and you will lose your headers

Better to include in the Apache VirtualHost

system · May 16, 2020, 11:38pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.