enable HSTS by default

author: Jonas Smedegaard <dr@jones.dk> 2020-10-11 19:46:22 +0200
committer: Jonas Smedegaard <dr@jones.dk> 2020-10-11 19:46:22 +0200
commit: cf5ef8b29ec7929ec81249651c8d9597d9fa6cc5 (patch)
tree: 1e4032403c65ee6b99c66254b43e9776236de1da
parent: 8ff26974e6fced7d41412e56849c00269b61bece (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/apache2/conf-available/local-ssl.conf b/apache2/conf-available/local-ssl.conf
index 7b2cabf..e9dd2f5 100644
--- a/apache2/conf-available/local-ssl.conf
+++ b/apache2/conf-available/local-ssl.conf
@@ -16,6 +16,17 @@
 	RedirectMatch permanent ^(?!/.well-known/)(.*) https://${_HOST}/$1
 </If>
 
+# enable HSTS
+# <http://www.debian-administration.org/articles/662>
+<IfDefine !_NO_HSTS>
+<IfDefine !_NO_HSTS_SUBDOMAINS>
+	Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
+</IfModule>
+<IfDefine _NO_HSTS_SUBDOMAINS>
+	Header add Strict-Transport-Security: "max-age=15768000"
+</IfModule>
+</IfModule>
+
 <IfModule mod_gnutls.c>
 	GnuTLSEnable on
 	<IfDefine _TLS_KEY>
author	Jonas Smedegaard <dr@jones.dk>	2020-10-11 19:46:22 +0200
committer	Jonas Smedegaard <dr@jones.dk>	2020-10-11 19:46:22 +0200
commit	cf5ef8b29ec7929ec81249651c8d9597d9fa6cc5 (patch)
tree	1e4032403c65ee6b99c66254b43e9776236de1da
parent	8ff26974e6fced7d41412e56849c00269b61bece (diff)