How to enable HTTP Strict Transport Security (HSTS) on Apache HTTPD

Solution Verified - Updated 21 Jan 2026

Environment

Red Hat Enterprise Linux (RHEL)
- httpd
Red Hat Software Collections (RHSCL)
- httpd
Red Hat JBoss Core Services (JBCS)
- Apache httpd
Apache Web Server (HTTPD)

Issue

How to enable Content from developer.mozilla.org is not included.HTTP Strict Transport Security (HSTS) on Apache HTTPD server.

Resolution

Verify if Apache HTTPD Headers module is enabled at /etc/httpd/conf/httpd.conf or /etc/httpd/conf.modules.d/00-base.conf
```
  LoadModule headers_module modules/mod_headers.so
```
Add the following configuration globally at /etc/httpd/conf.d/ssl.conf to <VirtualHost *:443> virtual host or for each SSL-enabled virtual host:
```
  Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
```
Configure the non-encrypted virtual host to redirect all traffic to HTTPS by adding the following to the bottom of httpd.conf or any other configuration file as long as it's globally set:
```
  <IfModule mod_rewrite.c>
      RewriteEngine On
      RewriteCond %{HTTPS} off
      RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
  </IfModule>
```
If the changes above were made while Apache HTTPD was running, a restart is required.

Diagnostic Steps

Check if the Strict-Transport-Security header is added to the response.

Run a curl command such as:

curl -I https://yourdomain.com | grep -i strict

Replace yourdomain.com with a valid domain.

The output will be something like this:

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
Strict-Transport-Security: max-age=63072000; includeSubDomains

Another option is the Developer Tools on the browser checking the response readers on tab that has the requests/responses data (it's usually the Network tab).

SBR

Webservers

Product(s)

Components

httpd

Category

Secure

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.