; charset=UTF-8<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\nHTTP Strict Transport Security or HSTS is a new security feature in browsers that enables you tell the browser \u201calways use SSL when accessing this site\u201d.<\/p>\n
Mozilla has a good blog post explaining HSTS, so I won\u2019t try to replicate that here, but I\u2019d just like to make it clear that if you have a site that should always use SSL, be it Drupal or Django or any other system, this is definitely something you should get set up.<\/p>\n
Good examples of these are webmail, server administration and monitoring tools and general admin backends. If you are running a large Drupal-site, you should perhaps consider restricting admin-access to a SSL-protected subdomain.<\/p>\n
Currently, it is only supported in Chrome 4 and above, and Firefox 4 beta 5 and beyond, but hopefully the other browser makers will catch up soon. Its fully backwards compatible, in that it will have no effect if the browser does not support HSTS.<\/p>\n
How to use it<\/p>\n
Setting it up is very simple. In your Apache VHost, where you do your SSL config, just add this line:<\/p>\n
Header add Strict-Transport-Security “max-age=15768000”
\nThis will tell the browser to remember that this site is SSL\/HTTPS only for the next 6 months. During that time it will simply rewrite any and all requests to that site to use HTTPS instead of HTTP without ever communicating insecurely with the server.<\/p>\n
If you use nginx, the syntax is subtly different. Adding this to the server section does the trick:<\/p>\n
add_header Strict-Transport-Security max-age=15768000;
\nKeep your redirects<\/p>\n
An important point is that HSTS only works after the user has received the header via HTTPS. So you will still need to have a redirect from your HTTP-site to HTTPS, also for supporting browsers that still do not understand HSTS.<\/p>\n
This is easily accomplished using Apache\u2019s mod_rewrite:
\nRewriteEngine On
\nRewriteCond %{HTTPS} off
\nRewriteRule (.*) https:\/\/%{HTTP_HOST}%{REQUEST_URI}<\/p>\n
Thus, with a few lines of configuration, you can make the web a safer place to be for your users. So, what are you waiting for?<\/p>\n","protected":false},"excerpt":{"rendered":"
HSTS (HTTP Strict Transport Security) is a security protocol that force the use of SSL in the comunication between the web browser and the web server. This standard is recently approved (2 october 2012) by the IETF, but the first draft was released in 2010 and it was implemented in some sites like Paypal, Android […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/3075"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3075"}],"version-history":[{"count":2,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/3075\/revisions"}],"predecessor-version":[{"id":3077,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/3075\/revisions\/3077"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3075"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3075"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3075"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}