For apache httpd

Verify if Apache HTTPD Headers module is enabled at /etc/httpd/conf/httpd.conf

LoadModule headers_module modules/mod_headers.so

 

Add the following configuration globally at /etc/httpd/conf.d/ssl.conf to <VirtualHost *:443> virtual host or for each SSL-enabled virtual host:

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"


Restart the httpd service

systemctl restart httpd

 

Verify the configuration

curl -v -A cUrl -k https://ol7-olvm

Enable HTTP Strict Transport Security (HSTS)_hsts

For nginx

Backup the nginx config file

cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak

Add the following to nginx.conf

add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

Restart the nginx service

systemctl restart nginx