From cf5ef8b29ec7929ec81249651c8d9597d9fa6cc5 Mon Sep 17 00:00:00 2001
From: Jonas Smedegaard <dr@jones.dk>
Date: Sun, 11 Oct 2020 19:46:22 +0200
Subject: enable HSTS by default

---
 apache2/conf-available/local-ssl.conf | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/apache2/conf-available/local-ssl.conf b/apache2/conf-available/local-ssl.conf
index 7b2cabf..e9dd2f5 100644
--- a/apache2/conf-available/local-ssl.conf
+++ b/apache2/conf-available/local-ssl.conf
@@ -16,6 +16,17 @@
 	RedirectMatch permanent ^(?!/.well-known/)(.*) https://${_HOST}/$1
 </If>
 
+# enable HSTS
+# <http://www.debian-administration.org/articles/662>
+<IfDefine !_NO_HSTS>
+<IfDefine !_NO_HSTS_SUBDOMAINS>
+	Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
+</IfModule>
+<IfDefine _NO_HSTS_SUBDOMAINS>
+	Header add Strict-Transport-Security: "max-age=15768000"
+</IfModule>
+</IfModule>
+
 <IfModule mod_gnutls.c>
 	GnuTLSEnable on
 	<IfDefine _TLS_KEY>
-- 
cgit v1.2.3