HOW TO Force HSTS in CloudBolt Server


CloudBolt ships OVA with a self-signed certificate and a bare minimal Apache configuration. If you want to enforce HSTS in CloudBolt Apache, follow this guide.


You are running CloudBolt OVA which supports Apache/2.4.6


Step 1 - Confirm/Install

  1. SSH to CloudBolt Instance as a root

  2. Run grep headers_module /etc/httpd/conf.modules.d/*

    1. Return should be: [root@cb-230322-root-001-centos7-KEEP modules]# grep headers_module /etc/httpd/conf.modules.d/*
      /etc/httpd/conf.modules.d/00-base.conf:LoadModule headers_module modules/

Step 2 - Edit the httpd config

  1. Go to /etc/httpd/conf

  2. Run vi httpd.conf

  3. Add these lines:

# Load the headers module
LoadModule headers_module modules/

<VirtualHost *:443>
    # HSTS (31536000 seconds = 1 year)
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Once a web browser has been added to the site and received the header, it will remember that the site should only be accessed over HTTPS for the duration of the max-age value. This value is reset every time the site is accessed.

To always redirect your visitors to the HTTPS version of your website, use the following configuration:

<VirtualHost *:80>
    Redirect permanent /

Step 3 - Reload Apache

systemctl reload  httpd

Additional information

Have more questions? Submit a request


Please sign in to leave a comment.