How to set HSTS header from .htaccess only on HTTPS
My web application runs on a different number of hosts that I control. To prevent the need to change the Apache config of each vhost, I add most of the config using .htaccess files in my repo so the basic setup of each host is just a couple of lines. This also makes it possible to change the config upon deploying a new version. Currently the .htaccess (un)sets headers, does some rewrite magic and controls the caching of the UA.
I want to enable HSTS in the application using .htaccess. Just setting the header is easy:
Header always set Strict-Transport-Security "max-age=31536000"
But the spec clearly states: "An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport.". So I don't want to send the header when sending it over HTTP connections. See http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-14 .
I tried to set the header using environment vars, but I got stuck there. Anyone that knows how to do that?
Answer
Apparently there is a HTTPS environment variable available that can be used easily. For people with the same question:
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS