I have several IP-based virtual hosts that I want to add the Strict-Transport-Security
header on. I'm using Apache 2.4 custom compiled.
Currently I have two <VirtualHost>
containers for each domain, like so:
<VirtualHost ${IP3}:80>
...
<IfModule rewrite_module>
RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule .* https://www.${SITE}%{REQUEST_URI} [NE,R=301,L]
</IfModule>
...
</VirtualHost>
<VirtualHost ${IP3}:443>
...
</VirtualHost>
The first VirtualHost does a simple mod_rewrite for non-ssl and non-www requests redirecting all requests to the second VirtualHost. Easy.
Question 1
Should I set up my mod_headers stuff in the first VirtualHost container (:80), the second (:443), or both?
Question 2
Should my mod_headers stuff come before or after the mod_rewrite stuff?
Question 3
Should I apply the Strict-Transport-Security
headers to all files, or only just .htm, .html and .php files? (I have a FilesMatch directive set up as a qualifier for certain headers)
My Best Guess Answers
Before any testing, my best guess answers would be:
Q1. Add mod_headers stuff to both VirtualHost containers.
Q2. mod_headers stuff should come before mod_rewrite stuff.
Q3. Yes, only those web filetypes that you serve need Strict-Transport-Security
. No need to add it to .gifs, .pngs, .svgs, .css, .js, etc.
EDIT: I see stackexchange also adds them to their robots.txt file.
Thanks.