Implementing HSTS for Moodle

Implementing HSTS for Moodle

by Obi Okonkwo -
Number of replies: 4
Hi all,
I'm helping manage a Moodle deployment in my environement and I was recently asked to assist to implement HSTS on the site.

My site is deployed using apache, so I figured with documentation out there that simply adding the config into the vhost section of my apache2 config file and restarting apache would do it.
root@myhost:/~/moodlehome/# cat /etc/apache2/sites-enabled/moodle.conf |grep -i -B1 STRICT
# HSTS configuration
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"

I can also confirm the config is set by looking at headers returned using the curl test below;
[Desktop1]:$ curl -IXGET -L -k https://<my-site-uri> |grep -i -B2 Strict
% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
Dload  Upload   Total   Spent    Left  Speed
 0  1510    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
 0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
Date: Tue, 01 Aug 2023 15:53:23 GMT
Server: Apache/2.4.41 (Ubuntu)
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload

However, my security team is still flagging this as not configured. Saying that HSTS is not configured on the domain
What's the definitive way to do this for Moodle and am I missing something?
Please help!?!😅😭
Average of ratings: -
In reply to Obi Okonkwo

Ri: Implementing HSTS for Moodle

by Sergio Rabellino -
Picture of Particularly helpful Moodlers Picture of Plugin developers
AFAIK, HSTS it’s a matter of the web server, not related to the application. So you should verify your apache configuration for the correct HSTS setup, not Moodle.
Take a look here: https://tecadmin.net/enable-hsts-in-apache/
Average of ratings: -
In reply to Sergio Rabellino

Re: Ri: Implementing HSTS for Moodle

by Obi Okonkwo -
Thanks Sergio,

That's exactly what I thought as well, it should all be in the web server. My HSTS setup for apache is same as the link you shared.
So I'm confused about the feedback from sec.
I'm 95% sure the issue is not in apache, which is why I'm enquiring about Moodle.

We use oidc to authorize Moodle logins thru our AD and the feedback is specifically;

"When looking at the results we can see there is no HSTS header enabled for this domain. In order to pass this check, HSTS has to be enabled on this domain. Currently, it looks like HSTS is only enabled on the domain is redirecting to which appears to be a Microsoft login page."

I don't see what other HSTS config can be done in apache so does this mean the issue is in the oidc integration?
Average of ratings: -
In reply to Obi Okonkwo

Re: Ri: Implementing HSTS for Moodle

by Dirk Dettmering -
To achieve some hard facts about your web server encryption: Test your moodle instance with Qualys SSL Server Test. With the result of that test you will get some good arguments for the discussion with your collegues from the security team.
Average of ratings: -
In reply to Obi Okonkwo

Ri: Re: Ri: Implementing HSTS for Moodle

by Sergio Rabellino -
Picture of Particularly helpful Moodlers Picture of Plugin developers
In the web page I linked there's also some suggestions for checking the HSTS status with external tools (useful to mimic Microsoft's OIDC).
Did you try these tools against your installation ?
Just to say: you are adding the config lines for HSTS in the wrong apache context so it's not applied to moodle website/subsite ?

This tracker post confirms what we both said: https://tracker.moodle.org/browse/MDLSITE-3199
Average of ratings: -