After the changes I made yesterday to the configuration of the web server and getting the A rating on SSL Server Test, I thought to myself ‘Why not try to go for the A+ rating’. Some quick searches learned that this could be achieved by implementing HSTS (HTTP Strict Transport Security.

HTTP Strict Transport Security (HSTS) is a policy mechanism that allows a web server to enforce the use of TLS in a compliant User Agent (UA), such as a web browser. HSTS allows for a more effective implementation of TLS by ensuring all communication takes place over a secure transport layer on the client side. Most notably HSTS mitigates variants of man in the middle (MiTM) attacks where TLS can be stripped out of communications with a server, leaving a user vulnerable to further risk.

Excerpt from an article by Scott Helme

Apache2 config changes

First step is to ensure that the headers module has been enabled

sudo a2enmod headers

Next is to make some changes to the .conf for you domain by adding the following lines to the HTTPS VirtualHost directive

# Guarantee HTTPS for 1 Year including Sub Domains
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains

and the following line to the non-HTTP VirtualHost directive to redirect all non-HTTPS request to the HTTPS (make sure to replace example.com with the correct domain)

# Redirect non-HTTPS request
Redirect permanent / https://example.com/

Test the changes you have made and when OK restart the apache2 deamon

sudo apachectl configtest
sudo service apache2 restart

And this was the result after running the SSL Server Test again

Rating A+