HSTS header: HTTP Strict Transport Security

Version 1.49

Feature
Finished

New option for HTTP Strict-Transport-Security in the directadmin.conf, internal default is: hsts=-1 which is disabled. Value will be in seconds. If: SSL=1 hsts=5184000 is set in the directadmin.conf and hsts is greater or equal to 0, then the header will be set to that value: Strict-Transport-Security: max-age=5184000 NOTE it will only be added to the login page, and not any other page. DA's debug level 2500 will let you know if it's added. See "IMPORTANT" below. To disable the header, you must set it to -1 in the directadmin.conf or delete the hsts value from the directadmin.conf, reverting to the internal -1 default: hsts=-1 Because browsers will remember the setting, if you are going from a large value (5184000), to make the browser "forget", you must set it to 0 for a while: hsts=0 so that the header is sent to clients, and set to 0, shutting it off. After all browsers/client have received the change, then you can set it to -1. If SSL=0, this header is not added, and will not apply. ============== IMPORTANT when this feature is used on DA's port (2222), browsers have been noticed to carry over the behavior onto the apache ports (443). Meaning, if you do the following: https://www.domain.com:2222 it will set the header, so far so good. So if you go to apache on port 80 (should be unlreated) http://www.domain.com this will redirect you to https://www.domain.com (apache 443), as per how the feature works, even though it's not what we want. I'm not currently aware to tell HSTS to only do http://2222 -> https://2222 and ingore 80/443, which is an unrelated service. This is why the feature is diabled (-1) by default. If you use it, I'd recommend using both: ssl_redirect_host=server.domain.com force_hostname=server.domain.com on a host value (server.domain.com) that you don't use for apache (www.domain.com), or else it will affect your connect to your website if you've previously visited DA. If you use HSTS in apache as well, then you should be fine. If you don't force the server.domain.com host value, then if the client uses their own domain, like: https://fredsdomain.com:2222 then the header will then apply to http://fredsdomain.com, forcing them to https://fredsdomain.com if they previously accessed DA.

Interested to try DirectAdmin? Get a 30-day Free Trial!