10

I'm trying to add HSTS headers to every response, across my app.

My first thought was to use mod_headers — I placed this directive in an .htaccess file at the documentroot:

Header set Strict-Transport-Security "max-age=7776000"

This works fine on my local setup using Apache 2.2 and mod_php. All resources respond with the appropriate HSTS header.

My deployment environment uses Apache 2.2 and mod_fastcgi and the above technique works for any resource except php files.

Another SO question had a similar problem, where incoming requests (?) had headers stripped — but I'm concerned about modifying headers of response leaving the server.

How can I add response headers to php resources in the context of an .htaccess file?

Community
  • 1
  • 1
Mark Fox
  • 8,694
  • 9
  • 53
  • 75
  • Have you found a solution yet? The answer from Stephens comment did not work for me :( – Nico Haase Jul 07 '17 at 09:50
  • I did not. When I had this problem I moved the responsibility of adding the HSTS header into my application code. I was using Symfony, so it was pretty trivial, although it would still be my preference to configure this at the web-server level :-/ – Mark Fox Jul 07 '17 at 17:00
  • 1
    Thanks, Mark! Did it the same way :( – Nico Haase Jul 08 '17 at 08:54

1 Answers1

1

According to the docs for mod_headers you probably need to set the optional conditional flag for the header directive.

So in this case, it would become

Header always set Strict-Transport-Security "max-age=7776000"
Stephen
  • 18,597
  • 4
  • 32
  • 33