How to setup HTTP Strict Transport Security With Lighttpd Web Server

HTTP Strict Transport Security (HSTS) is a security feature that lets your web site tell client browsers that it should only be communicated with using HTTPS only. How can I setup HSTS using lighttpd web server on Linux or Unix-like system?

You need to use the setenv module (mod_setenv) for lighttpd. It allows influencing the environment external applications are spawned in and the response headers the server sends to the clients. You must configure ssl certificates for lighttpd before setting up HSTS headers.

ADVERTISEMENTS

Configuring HTTP Strict Transport Security for lighttpd

You need to edit lighttpd.conf file located in /etc/ directory:
$ sudo vi /etc/lighttpd/lighttpd.conf
For FreeBSD unix, enter:
$ sudo vi /usr/local/etc/lighttpd/lighttpd.conf
Add mod_setenv module:

server.modules += ( "mod_setenv" )

Syntax for HSTS

setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=SECONDS"  )

Examples

Set Strict-Transport-Securit header i.e. push HSTS policy by sending the following HTTP response header from secure (HTTPS) websites:

# Set HSTS for six months including all subdomains
setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=15768000; includeSubdomains"  )

The time is set six months (15768000 is in seconds). If you have multiple setenv.add-response-header, use the following syntax (note +=):

## Setting up two headers ###
setenv.add-response-header = ( "X-Whom" => "lighttpd-aws-us-east" )
setenv.add-response-header += ( "Strict-Transport-Security" => "max-age=15768000; includeSubdomains"  )

Save and close the file. Restart the lighttpd web-server as follows:
$ sudo systemctl restart lighttpd
OR
$ sudo service lighttpd restart
OR
$ sudo /usr/local/etc/rc.d/lighttpd restart

Verify HSTS working

Type the following curl command to see HTTP headers:
$ curl -I https://your-domain-name-here/
$ curl -I https://www.cyberciti.biz/

Sample outputs:

Fig.01: Verify HTTP Strict Transport Security (HSTS) header with curl command

Fig.01: Verify HTTP Strict Transport Security (HSTS) header with curl command

References:
🐧 If you liked this page, please support my work on Patreon or with a donation.
🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
0 comments… add one

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.