I'm helping manage a Moodle deployment in my environement and I was recently asked to assist to implement HSTS on the site.
My site is deployed using apache, so I figured with documentation out there that simply adding the config into the vhost section of my apache2 config file and restarting apache would do it.
root@myhost:/~/moodlehome/# cat /etc/apache2/sites-enabled/moodle.conf |grep -i -B1 STRICT
# HSTS configuration
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
[Desktop1]:$ curl -IXGET -L -k https://<my-site-uri> |grep -i -B2 Strict
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 1510 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
Date: Tue, 01 Aug 2023 15:53:23 GMT
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
However, my security team is still flagging this as not configured. Saying that HSTS is not configured on the domain.
What's the definitive way to do this for Moodle and am I missing something?
Please help!?!😅😭