HSTS policy is enabled on every single Lucy instance by default. One can check whether the policy is enabled via dev tools in the Chrome browser. Simply proceed to Lucy admin console and send Ctrl+Shift+C hotkey combination. There proceed to the Network tab and open the Headers section.

To enable/disable the header on the instance follow these steps:

1. Open ssh connection to the instance
2. Open the file

nano /opt/phishing/files/system/vhost-templates/virtualhost-ssl.txt

3. Add or remove the following line at the beginning of the file (after <VirtualHost *:443> tag):

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains;"

5. Restart the apache server:

service apache2 reload
service apache2 restart