Home
Two Domains HSTS – HTTP Strict Transport Security
Tags:, , , , ,

Two Domains HSTS – HTTP Strict Transport Security

July 28, 2015 No Comments cloudflare, SSL, webhosting

HSTS – HTTP Strict Transport Security, is a enforced HTTPS. It is actually a declaration by the server that says the connection is 100% secure, which will be reviewed and accepted by Chrome, Firefox and IE browsers (3 most popular browsers). Then a list is shared by these browsers, so that everytime the user visits the site, the connection is secured without needing to have 301 redirection (non-secure) from HTTP to HTTPS. Even before the site is reviewed and pushed to the list, the first time the user visits the site, the browser will cache this preference and from then, the site will be forced to HTTPS.

Apache2 configures HSTS easily. You would need to edit the site configuration file under /etc/apache2/sites-enabled then to add the following line to your SSL section.

1

Header always set Strict-Transport-Security "max-age=15552000; includeSubdomains; preload"
Header always set Strict-Transport-Security "max-age=15552000; includeSubdomains; preload"

The attribute max-age specifies the rule expiry time, which should be at least eighteen weeks (10886400 seconds). Save the above and restart the server by either /etc/init.d/apache2 restart or service apache2 restart. If you are using CloudFlare CDN, you can simply turn this on in the control panel:

hsts-cloudflare Two Domains HSTS - HTTP Strict Transport Security cloudflare SSL webhosting

hsts-cloudflare

The next step is to submit your site to allow a review [https://hstspreload.appspot.com/], which may take a few days (in my case, very quickly).

Check your sites’ status until it will show something like this!

hsts-preloaded-list Two Domains HSTS - HTTP Strict Transport Security cloudflare SSL webhosting

hsts-preloaded-list

Useful Links:
Chrome List: https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.json
Firefox List: https://mxr.mozilla.org/mozilla-aurora/source/security/manager/ssl/nsSTSPreloadList.inc
Browser HSTS check: http://caniuse.com/#search=HSTS

After all this, you are committed to server all the connections using HTTPS so unless you apply to change (which takes time to reflect the changes), you promise the site to be secure! If you do not have HTTPS someday, and your site will become unavailable.

–EOF (The Ultimate Computing & Technology Blog) —

GD Star Rating
loading...
511 words
Last Post: Delphi 2007 Installation/Uninstallation Error 2343 - Solution
Next Post: Retrieving BIOS Information using VBScript

The Permanent URL is: Two Domains HSTS – HTTP Strict Transport Security

Related posts:

  1. Displaying a File with Line Number on Linux Shells There are many ways to show line numbers when displaying text files. For example, in...
  2. Curly Brace Group in Linux BASH In Linux BASH shell, you can use curly brace {} to represent a set of...
  3. Get a Random and Hopefully Interesting Adage Online – Fortune-Teller (API) The linux is a fun place to work at. It provides interesting commands such as...
  4. NUC Hardware Review: Raspberry PI B Plus Model Today, I got the new Raspberry Pi B+ from Newark. It is Raspberry B Plus...
  5. Why and How to Turn Off Ping (ICMP) for Servers? The ping command is popular and it is often used to tell if a server...
  6. Teaching Kids Programming – Two Array Intersection Algorithms Teaching Kids Programming: Videos on Data Structures and Algorithms Given two arrays, write a function...
  7. Introducing the Pancake Sorting Algorithm Given an array of integers A, We need to sort the array performing a series...
  8. How to Add a Share URL automatically at the end of each post and page for WordPress? I sometimes need to copy the posts to somewhere for easy sharing purpose and at...

Leave a Reply