After the changes I made yesterday to the configuration of the web server and getting the A rating on SSL Server Test, I thought to myself ‘Why not try to go for the A+ rating’. Some quick searches learned that this could be achieved by implementing HSTS (HTTP Strict Transport Security.
HTTP Strict Transport Security (HSTS) is a policy mechanism that allows a web server to enforce the use of TLS in a compliant User Agent (UA), such as a web browser. HSTS allows for a more effective implementation of TLS by ensuring all communication takes place over a secure transport layer on the client side. Most notably HSTS mitigates variants of man in the middle (MiTM) attacks where TLS can be stripped out of communications with a server, leaving a user vulnerable to further risk.
Excerpt from an article by Scott Helme
Apache2 config changes
First step is to ensure that the
headers module has been enabled
sudo a2enmod headers
Next is to make some changes to the
.conf for you domain by adding the following lines to the HTTPS VirtualHost directive
# Guarantee HTTPS for 1 Year including Sub Domains Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains
and the following line to the non-HTTP VirtualHost directive to redirect all non-HTTPS request to the HTTPS (make sure to replace
example.com with the correct domain)
# Redirect non-HTTPS request Redirect permanent / https://example.com/
Test the changes you have made and when OK restart the apache2 deamon
sudo apachectl configtest sudo service apache2 restart
And this was the result after running the SSL Server Test again