You need to use the setenv module (mod_setenv) for lighttpd. It allows influencing the environment external applications are spawned in and the response headers the server sends to the clients. You must configure ssl certificates for lighttpd before setting up HSTS headers.
Configuring HTTP Strict Transport Security for lighttpd
You need to edit lighttpd.conf file located in /etc/ directory:
$ sudo vi /etc/lighttpd/lighttpd.conf
For FreeBSD unix, enter:
$ sudo vi /usr/local/etc/lighttpd/lighttpd.conf
Add mod_setenv module:
server.modules += ( "mod_setenv" )
Syntax for HSTS
setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=SECONDS" ) |
Examples
Set Strict-Transport-Securit header i.e. push HSTS policy by sending the following HTTP response header from secure (HTTPS) websites:
# Set HSTS for six months including all subdomains setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=15768000; includeSubdomains" ) |
The time is set six months (15768000 is in seconds). If you have multiple setenv.add-response-header, use the following syntax (note +=):
## Setting up two headers ### setenv.add-response-header = ( "X-Whom" => "lighttpd-aws-us-east" ) setenv.add-response-header += ( "Strict-Transport-Security" => "max-age=15768000; includeSubdomains" ) |
Save and close the file. Restart the lighttpd web-server as follows:
$ sudo systemctl restart lighttpd
OR
$ sudo service lighttpd restart
OR
$ sudo /usr/local/etc/rc.d/lighttpd restart
Verify HSTS working
Type the following curl command to see HTTP headers:
$ curl -I https://your-domain-name-here/
$ curl -I https://www.cyberciti.biz/
Sample outputs:
References: