Enforce HTTPS with Strict Transport Security (HSTS)

Problem

Some websites are conceived to only work in HTTPS. In that case, the webmaster sometimes keeps its HTTP version functional with an HTTPS redirection. But this mechanism is not safe and the web site can be the victim of a MITM attack

Solution

To avoid this, you can indicate browsers that the web site must be contacted in HTTPS only. The browser will then transform a http:// url into a https:// one.

For Apache, in .htaccess

<ifModule mod_headers.c>
	Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" env=HTTPS
</ifModule>

Then you should visit https://hstspreload.org to enable HSTS Preload.

Reference

Leave a Reply

Your email address will not be published. Required fields are marked *