"Strict-Transport-Security" HTTP header (HSTS)

dimostin · October 9, 2018, 1:39pm

so my vhost config looks like this now:

<IfModule mod_ssl.c>
<VirtualHost *:443>

        ServerName cloud.mydomain.org
        ServerAdmin webmaster@localhost

<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
Header always set Referrer-Policy "no-referrer"
Header always set Referrer-Policy "strict-origin"

# Prevent MIME based attacks
Header set X-Content-Type-Options "nosniff"
</IfModule>

SSLEngine on
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On

        ProxyPreserveHost On
        ProxyPass / http://192.168.1.10:80/
        ProxyPassReverse / http://192.168.1.10:80/

        ErrorLog ${APACHE_LOG_DIR}/cloud.mydomain.org-error.log
        CustomLog ${APACHE_LOG_DIR}/cloud.mydomain.org-access.log combined

SSLCertificateFile /etc/letsencrypt/live/cloud.mydomain.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/cloud.mydomain.org/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

and after i issued this command " curl -D- https://cloud.domain.com " i have the following output:

# curl -s -D- https://cloud.mydomain.com
HTTP/2 302
date: Tue, 09 Oct 2018 13:35:02 GMT
content-type: text/html; charset=UTF-8
set-cookie: __cfduid=d7c13864ec1f2ffd28cf91ffb2408b8531539092102; expires=Wed, 09-Oct-19 13:35:02 GMT; path=/; domain=.mydomain.com; HttpOnly; Secure
strict-transport-security: max-age=0; includeSubDomains; preload
referrer-policy: strict-origin
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
content-security-policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'nonce-MjBLcFFxdERXRmpQejhhek1LcUZWQm9pYXhJNlJzMjN1Qnp5dVpaUkJHOD06bGlQSURPb3BhanFGalpUcFo4bTNaM0owQ1dkTEJiWGU3bSt3MGVZWWJCYz0='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
x-frame-options: SAMEORIGIN
location: https://cloud.mydomain.com/index.php/login
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
x-robots-tag: none
x-download-options: noopen
x-permitted-cross-domain-policies: none
set-cookie: ocz9mx9tsb1o=6dmprkt1pl2jank5cancgdbs4g; path=/; secure; HttpOnly
set-cookie: oc_sessionPassphrase=Xmw3IYAhQuePaWGmzCfW7JGf%2BNIAi%2F56KWli7SuwcWyF87KB1V6jRAiCjPOU5QP3RhuwywmRp4Pe0SMEDPiEjQldBBVSGJb8IdZoLt2isiBxiGHBykugknhqQiUwGDOd; path=/; secure; HttpOnly
set-cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
set-cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
server: cloudflare