Occasionally I use services like SSL Labs to ensure everything is set up and working correctly on this server. One of the things that SSL Labs and others were dinging me for was lack of HTTP Strict Transport Security.
HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should interact with it using only secure HTTPS connections, and never via the insecure HTTP protocol.
This turned out to be fairly trivial to implement. I’m using Apache, so I just had to update the Virtual Host file to add a single header:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Initially I tested with a shorter period of time just to ensure there weren’t any HTTP-only issues that I had to deal with. After being satisfied that they weren’t, I set the expiration time to one non-leap year in seconds.