I'm looking to add the HSTS header in Apache...
# HSTS / Header Strict Transport Security
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
... but I have a long list of vhosts for different but related sites/sub-sites. I'd rather not have to define it in every one of my vhost definitions, but I'm not aware of a way to include a setting in the main https.conf
that ONLY applies to the 443 / https
versions of those vhosts since it raises warnings in validators when you apply HSTS to a standard 80 / http
site.
I've tried wrapping it in <IfModule mod_ssl.c>...</IfModule>
tags but if I'm not mistaken, this is really just asking Is the SSL module loaded? I tried searching lots of different ways, but when you don't know the term your looking for, it's difficult to sort through all the static. Any suggestions? Thanks!