I'm trying to change the strict-transport-security header my server generates for each website. I'm trying to change it for a specific website. The current header is strict-transport-security max-age=300 I found the Apache Directives field for the website and added <IfModule mod_headers.c> Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" </IfModule> Using an external resource, I found the website now produces 2 headers, both the original with max-age-300 and the additional header. Browsers pickup the original max-age=300 setting, ignoring the added setting in the Apache Directives field. How do I replace the default strict-transport-security header instead of adding an extra one? Setup: - ISPConfig 3.3.0p1 - Ubuntu 20.04 LTS ('perfect server setup')
set it without the Ifmodule lines, i set a few directives as: Code: Header set X-Content-Type-Options: "nosniff" Header set X-Xss-Protection "1; mode=block" Header set Strict-Transport-Security "max-age=31536000; includeSubdomains;" Header set X-Frame-Options "SAMEORIGIN" Header set Referrer-Policy 'same-origin' seems to work fine, gets a score of 100% on internet.nl
Thank you for the suggestions nhybgtvfr. I tried adding these to the domain, but still 2 records are generated, one with the default max-age and one with the newly set max-age=31536000 .
Maybe you are using a CMS and that sets the other header? ISPConfig itself does not set a Strict-Transport-Security header at all by default.
Thanks for the suggestion, that turned out to be the culprit. After changing the settings in the CMS, the website now sends headers according to the settings in the Apache Directives field in ISPConfig. Problem solved, thanks guys!
