I have a LAMP server and my SSL certificate provider recommended me to set HSTS header as follows in Apache2:
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" env=HTTPS
Questions:
What does preload do?
What does env=HTTPS do?
preload do?The preload flag indicates consent for the domain to be allowed onto the HSTS preload list (used by Chrome, Firefox, IE 11, Edge, and other browsers).
The Chrome security team allows any domain to submit their domain to the list, provided it meets the following requirements:
- HTTPS is enabled on the root domain (e.g.
https://donotcall.gov), and all subdomains (e.g.https://www.donotcall.gov) – especially thewwwsubdomain, if a DNS record for it exists.
max-age, and a preload flag to indicate that the domain owner consents to preloading.Source: https://https.cio.gov/hsts/#hsts-preloading
You can see more information on the HSTS Preload Submission page.
env=HTTPS do?This is an argument of the Apache Header directive (part of the mod_headers module):
env=[!]varnameThe directive is applied if and only if the environment variable
varnameexists. A!in front ofvarnamereverses the test, so the directive applies only ifvarnameis unset.
In this case, the HTTP header is only sent when the HTTPS environment variable is set. This environment variable is only set when pages/resources are accessed via HTTPS. The reasoning behind this is in section 7.2 of the HSTS specification:
An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport.
As to why, see this question.
