Skip to content

How to Configure HSTS in Apache

DodaTech Updated 2026-06-24 2 min read

HSTS (HTTP Strict Transport Security) forces browsers to always use HTTPS. Proper configuration prevents SSL stripping attacks. This guide walks through the specific troubleshooting steps to diagnose and resolve HSTS issues.

Before You Begin

Before you begin, be sure to have the following in place:

  • A Linux server with the relevant software installed
  • Access to the command line interface
  • Appropriate permissions (root or sudo)

Quick Fix

Wrong

Header always set Strict-Transport-Security "max-age=0" (HSTS disabled)

Wrong: HSTS disabled or misconfigured

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Right: HSTS with 1-year max-age and subdomains

Output

HSTS configured:\n  Max-Age: 31536000 (1 year)\n  IncludeSubDomains: enabled\n  Preload: enabled

Prevention

To avoid future issues, follow these best practices:

  • Set max-age to at least 15552000 (180 days) for browsers to enforce
  • Add includeSubDomains to cover all subdomains
  • Enable preload after verifying your site works with HSTS
  • Submit to hstspreload.org for browser hardcoding
  • Use Header always set to apply HSTS on all responses including errors

DodaTech Tools

For further assistance with any of the above issues, consider using DodaTech consulting services or DodaTech tutorials for more in-depth guidance.

Common Mistakes with ssl hsts

  1. Placing the wildcard pattern first in case expressions, making all subsequent patterns unreachable
  2. Using head and tail instead of pattern matching, causing runtime errors on empty lists
  3. Forgetting that lazy evaluation defers computation until the value is forced, causing space leaks with unevaluated thunks

These mistakes appear frequently in real-world APACHE code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

What is HSTS preload?|||Preload is a list of domains hardcoded into browsers. Sites on the list are always accessed via HTTPS, even on first visit.
What is a safe max-age for HSTS? Start with max-age=300 (5 minutes) during testing, then increase to 31536000 (1 year) once verified.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro