apache.htaccessmod-headers

How to set HSTS header from .htaccess only on HTTPS


My web application runs on a different number of hosts that I control. To prevent the need to change the Apache config of each vhost, I add most of the config using .htaccess files in my repo so the basic setup of each host is just a couple of lines. This also makes it possible to change the config upon deploying a new version. Currently the .htaccess (un)sets headers, does some rewrite magic and controls the caching of the UA.

I want to enable HSTS in the application using .htaccess. Just setting the header is easy:

Header always set Strict-Transport-Security "max-age=31536000"

But the spec clearly states: "An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport.". So I don't want to send the header when sending it over HTTP connections. See https://datatracker.ietf.org/doc/html/draft-ietf-websec-strict-transport-sec-14 .

I tried to set the header using environment vars, but I got stuck there. Anyone that knows how to do that?


Solution

  • Apparently there is a HTTPS environment variable available that can be used easily. For people with the same question:

    Header set Strict-Transport-Security "max-age=31536000" env=HTTPS