HTTP Strict Transport Security (HSTS) is an opt-in browser security mechanism that lets web site owners declare “Encrypted Communications Only”.

Strict-Transport-Security HTTP header instructs browsers to only communicate with the domain over SSL/TLS for a set period of time (the max-age). HSTS only goes into effect after a browser receives a valid header from the domain. HSTS is to ensure unencrypted communication is not allowed on your domain or site to mitigate attacks such as SSL-stripping.

The HSTS Header

Strict-Transport-Security: max-age:31536000; includeSubDomains 

The max-age parameter value is in seconds; 31536000 seconds equals 365 days. Notice how the above also uses includeSubDomains. This optional parameter informs the browser to force secure communication to the site’s subdomains as well.

Browsers must receive the Strict-Transport-Security header over an HTTPS connection with the domain; HSTS headers over HTTP are not recognized as valid.

Threat Mitigation
HSTS mitigates the following threats.

1. HTTP request to an HTTPS site
For example:
1. User wants to visit
2. User types into the address bar
3. Browser automatically appends “http://” making the following request:
4. Server responds with 301 (permanent redirect) to the following location:
5. Browser makes request to above URL

The above scenario allows for a man-in-the-middle attack as a result of the unintentional HTTP request to An attacker can leverage a tool such as ssltrip to transparently hijack the HTTP request prior to the 301 redirect. HSTS eliminates this attack window as long as the user previously accessed over HTTPS and obtained the HSTS header.

Even with HSTS enabled, a user’s initial request to would remain unprotected from attacks. As a result, both Chrome and Mozilla introduced HSTS preload lists. If is on Chrome’s HSTS preload list, a freshly installed Chrome browser will only allow secure connections to that site, even if the user never accessed it before.

2. Insecure link referencing an HSTS enabled site

For example:

1. includes a link to
2. HSTS will automatically convert the link to HTTPS for the HSTS-enabled site
3. Invalid Certificate
The following would be considered invalid certificates:
– Self-signed and/or untrusted CA signed certificate
– Expired
– Wrong name specified
– …

HSTS displays an error message as shown below. In addition, it will NOT allow the user to override the error message, thus preventing a potential attack by ensuring the victim does not accept the bad certificate.

Enabling HSTS
You can enable HSTS in Apache with mod headers and the following line in your configuration:

# this domain should only be contacted in HTTPS for the next 6 months
Header add Strict-Transport-Security "max-age=15768000"

Afterwards, restart Apache and test the configuration change:

# curl -si | grep ^Strict
Strict-Transport-Security: max-age=31536000 

In Nginx, update nginx.conf:

# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; 

In Rails, HSTS can be enabled with the following:

# config.force_ssl = true 

HSTS Preload Lists
Code repository:

Add your site using using the following:

Code repository:

Firefox does not maintain their own list; instead, they use a subset of Google’s. Firefox only accepts sites on Google’s preload list that have a max-age greater than or equal to 18 weeks (10886400 seconds). See for more information.

Testing HSTS
– Leverage an intercepting proxy (e.g. Burp) or browser tools (e.g. Chrome DevTools / Firefox Developer Tools) to examine server responses

– In Chrome, type the below to determine if a host is in your STS cache

– In Firefox, you can use the Strict Transport Security Detector add-on to see if the site supports HSTS (


Home »Service Configuration »Apache Configuration »Global Configuration

Minimum Spare Servers 8
Maximum Spare Servers 32
Max Clients 1500
Max Requests Per Child 0
Start Servers 8
Server Limit 2000
Keep-Alive Timeout 15
Max Keep-Alive Requests 256

Other options:

–addition of memcache
–recompiling Apache to run as PreFork opposed to MPM Worker Event

Check for Prefork or Worker

# [root@austin ~]# /usr/sbin/httpd -V | grep MPM
# Server MPM:     Prefork
# -D APACHE_MPM_DIR="server/mpm/prefork"

–Reduced some of the limits in the apache config. Many things that should be in the hundreds were set in the thousands.
–KeepAlive on was simply adding too large of a load to the server.

Timeout 300

Usually this value doesn’t require editing and a default of 300 is sufficient. Lowering the ‘Timeout’ value will cause a long running script to terminate earlier than expected.

On virtualized servers like VPS servers, lowering this value to 100 can help improve performance.

KeepAlive On

This setting should be “On” unless the server is getting requests from hundreds of IPs at once.

High volume and/or load balanced servers should have this setting disabled (Off) to increase connection throughput.

MaxKeepAliveRequests 100

This setting limits the number of requests allowed per persistent connection when KeepAlive is on. If it is set to 0, unlimited requests will be allowed.

It is recommended to keep this value at 100 for virtualized accounts like VPS accounts. On dedicated servers it is recommended that this value be modified to 150.

KeepAliveTimeout 15

The number of seconds Apache will wait for another request before closing the connection. Setting this to a high value may cause performance problems in heavily loaded servers. The higher the timeout, the more server processes will be kept occupied waiting on connections with idle clients.

It is recommended that this value be lowered to 5 on all servers.

MinSpareServers 5

This directive sets the desired minimum number of idle child server processes. An idle process is one which is not handling a request. If there are fewer spareservers idle then specified by this value, then the parent process creates new children at a maximum rate of 1 per second. Setting this parameter to a large number is almost always a bad idea.

Others Suggestions:

Virtualized server, ie VPS 5
Dedicated server with 1-2GB RAM 10
Dedicated server with 2-4GB RAM 20
Dedicated server with 4+ GB RAM 25
MaxSpareServers 10

The MaxSpareServers directive sets the desired maximum number of idle child server processes. An idle process is one which is not handling a request. If there are more than MaxSpareServers idle, then the parent process will kill off the excess processes.

The MaxSpareServers value should be set as double the value that is set in MinSpareServers.

StartServers 5

This directivesets the number of child server processes created on startup. This value should mirror what is set in MinSpareServers.

MaxClients 150

This directive sets the limit on the number of simultaneous requests that will be served. Any connection attempts over the specified limit will be queued. Once a process is freed at the end of a different request, the queued connection will then be served.

For virtualized servers such as VPS accounts, it is recommended to keep this value at 150. For all dedicated servers the recommended value for this setting is 250.

MaxRequestsPerChild 0

This directive sets the limit on the number of requests that an individual child server process will handle. After the number of requests reaches the value specified, the child process will die. When this value is set at 0, then the process will never expire.

Other adjustments:

Virtualized server, ie VPS 300
Dedicated server with 1-4GB RAM 500
Dedicated server with 4+GB RAM 1000

Other resources:

For cPanel/WHM, to enable PDO in the system you can use EasyApache:

1. Login to WHM
2. Click Apache Update
3. Click Start Customizing Based on Profile
4. Select an Apache version
5. Click Next Step
6. Select PHP 5
7. Click Next Step
8. Select a version of PHP 5
9. Click Next Step
10. Click Exhaustive Options List button
11. Scroll down to the check box labeled PDO
12. Click Save and Build

By default deflate module is already compiled on Plesk based Linux servers(new versions). You just need to add the rules in Apache to enable/load the deflate module.

You can test if your website already has mod_deflate enabled using the following tool.

Check the main httpd.conf file

# grep 'mod_deflate' /etc/httpd/conf/httpd.conf

If the result was LoadModule deflate_module modules/, you can continue. If the result was #LoadModule deflate_module modules/, please run the following command:

# perl -pi -e 's/# LoadModule mod_deflate/LoadModule mod_deflate/g' /etc/httpd/conf/httpd.conf

Then add this to the httpd.conf file for the site

# Deflate output configuration
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4.0[678] no-gzip
BrowserMatch bMSIE !no-gzip !gzip-only-text/html

Restart Apache and test from online tools to see if deflate is enabled.

Other configuration

Include this in the conf.d directory. Make sure that the conf.d directory is included in httpd.conf.

# Insert filter
SetOutputFilter DEFLATE

# Netscape 4.x has some problems...
BrowserMatch ^Mozilla/4 gzip-only-text/html

# Netscape 4.06-4.08 have some more problems
BrowserMatch ^Mozilla/4.0[678] no-gzip

# MSIE masquerades as Netscape, but it is fine
# BrowserMatch bMSIE !no-gzip !gzip-only-text/html

# NOTE: Due to a bug in mod_setenvif up to Apache 2.0.48
# the above regex won't work. You can use the following
# workaround to get the desired effect:
BrowserMatch bMSI[E] !no-gzip !gzip-only-text/html

# Don't compress images
SetEnvIfNoCase Request_URI 
.(?:gif|jpe?g|png)$ no-gzip dont-vary

# Make sure proxies don't deliver the wrong content
Header append Vary User-Agent env=!dont-vary

Restart Apache and test from online tools to see if deflate is enabled.


On a Plesk server, the mod_deflate module is installed by default, however it may be disabled in the Apache configuration file. To enable the mod_deflate module in Plesk edit the Apache configuration file

# vi /etc/httpd/conf/httpd.conf

Search the line that says,

#LoadModule deflate_module modules/

and uncomment it i.e. remove the ‘#’ mark

LoadModule deflate_module modules/

Now, create a /etc/httpd/conf.d/deflate.conf file. Apache reads all the .conf files from the /etc/httpd/conf.d directory on a Plesk server.

# vi /etc/httpd/conf.d/deflate.conf

and place the following code in it

SetOutputFilter DEFLATE
SetEnvIfNoCase Request_URI  \
\.(?:gif|jpe?g|png)$ no-gzip dont-vary

Save the file and restart Apache.

# service httpd restart


Check the settings and add/adjust as follows:

Find the configuration file:

root@serv [~]# /usr/local/apache/bin/httpd -V
Server version: Apache/2.2.27 (Unix)
Server built:   Jun 12 2014 01:44:45
Cpanel::Easy::Apache v3.24.19 rev9999
Server's Module Magic Number: 20051115:33
Server loaded:  APR 1.5.0, APR-Util 1.5.3
Compiled using: APR 1.5.0, APR-Util 1.5.3
Architecture:   64-bit
Server MPM:     Prefork
  threaded:     no
    forked:     yes (variable process count)
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/prefork"
 -D APR_HAVE_IPV6 (IPv4-mapped addresses disabled)
 -D HTTPD_ROOT="/usr/local/apache"
 -D SUEXEC_BIN="/usr/local/apache/bin/suexec"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE="logs/accept.lock"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

The config file is usually at:

Add/Edit the config:

Start Servers 32
Minimum Spare Servers 32
Maximum Spare Servers 256
Server Limit 2000
Max Clients 1500
Keep-Alive On

Keep it mind that http is a stateless protocol. Each line can represent one client opening multiple sockets to grab different files (css, images, etc) that will hang out for awhile in a timewait state.

To display only active Internet connections to the server at port 80 and sort the results, allow to recognize many connections coming from one IP

# netstat -an | grep :80 | sort

To display the list of the all IP addresses involved instead of just count.

# netstat -n -p | grep SYN_REC | sort -u

Slow Server

# netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n 

# netstat -nat | grep :80 | grep ESTAB | wc -l

# netstat -nat | grep :80 | gawk '{ print $5; }' | gawk -F: '{ print $1 }' | sort | uniq -c | sort -n

# netstat -an|grep ":80"|awk '/tcp/ {print $6}'|sort -nr| uniq -c | sort -n

# netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1

For Java?

# netstat -nat | grep :1935 | gawk '{ print $5; }' | gawk -F: '{ print $1 }' | sort | uniq -c | sort -n

Need to optimize?

ab -c 50 -n 10000 URL_TO_THE_SITE

-n 10000: ab will send 1000 number of requests to server in order to perform for the benchmarking session
-c 50 : 50 is concurrency number i.e. ab will send 50 number of multiple requests to perform at a time to server

Login to Linux/bsd desktop computer and type following command:

$ ab -n 1000 -c 5


-n 1000: ab will send 1000 number of requests to server in order to perform for the benchmarking session
-c 5 : 5 is concurrency number i.e. ab will send 5 number of multiple requests to perform at a time to server
For example if you want to send 10 request, type following command:

[stextbox id=”warning”]Connection reset by peer: mod_fcgid: error reading data from FastCGI server[/stextbox]

Connection reset by peer: mod_fcgid: error reading data from FastCGI server
[Thu Jul 31 13:05:21 2014] [error] [client] Premature end of script headers: cron.php

Edit fastcgi.conf and add the following:

nano /etc/nginx/fastcgi.conf
FcgidBusyTimeout 3600