Enforce HTTPS with Strict Transport Security (HSTS)


Some websites are conceived to only work in HTTPS. In that case, the webmaster sometimes keeps its HTTP version functional with an HTTPS redirection. But this mechanism is not safe and the web site can be the victim of a MITM attack


To avoid this, you can indicate browsers that the web site must be contacted in HTTPS only. The browser will then transform a http:// url into a https:// one.

For Apache, in .htaccess

<ifModule mod_headers.c>
	Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" env=HTTPS

Then you should visit https://hstspreload.org to enable HSTS Preload.


Leave a Reply

Your email address will not be published. Required fields are marked *