HSTS Settings On Apache and Difference in Headers

Spread the love

Below is the line that have to be put in <VirtualHost *:443> where ‘*’ can be remained as it is or can be changed if you know what you are doing. Do not put below in HTTP virtual host block i.e. <VirtualHost *:80> (port and ‘*'(IP) can be anything if you have configured your server to listen on any other port)

Header always set Strict-Transport-Security "max-age=5184000; includeSubdomains;"

In above configuration the max-age is set to 60 days (means the headers will be cached for 60 days)

Below are the differences in Headers:

301 Response When HSTS is not enabled:

200 Response

404 Response:


HSTS only works for supported browsers