HTTP Strict Transport Security: Apache

To enable HTTP Strict Transport Security for Apache you can edit the vhosts file. This should only apply to HTTPS connections and therefore is added to the VirtualHost 443 section.

      # Use HTTP Strict Transport Security to force client to use secure connections only
      Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
The max-age value is in seconds. Use 31536000 for 12 months or 63072000 for 24 months

Adding includeSubdomains means that subdomains of the main domain should also be accessed using SSL

Related Articles