Permalink
Browse files

Force HTTPS + HSTS.

alg.cubing.net has supported HTTPS for a while. This makes it a permanent commitment.
  • Loading branch information...
1 parent 8d2d34b commit 743abaa9de26afa2e12577b8eda2b0e57431ce47 @lgarron lgarron committed Mar 12, 2015
Showing with 14 additions and 2 deletions.
  1. +0 −1 .gitignore
  2. +13 −0 .htaccess
  3. +1 −1 alg.cubing.net.js
View
@@ -1,2 +1 @@
-/.htaccess
/source/
View
@@ -0,0 +1,13 @@
+# Dreamhost doesn't allow any way to configure connection security except .htaccess. :-(
+
+# Generated from https://mozilla.github.io/server-side-tls/ssl-config-generator/
+SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
+
+# If on HTTPS, sent the HSTS header.
+Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"
+Header always unset Strict-Transport-Security env=!HTTPS
+
+# Redirect to HTTPS first.
+RewriteEngine on
+RewriteCond %{HTTPS} off
+RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
View
@@ -297,7 +297,7 @@ algxControllers.controller('algxController', ["$scope", "$location", "debounce",
// TODO: Inject playback view into parameters properly.
// Right now it's fine because the view paramater is hidden in editor view, which is the only time you see a forum link.
- $scope.share_url = "http://alg.cubing.net" + $location.url();
+ $scope.share_url = "https://alg.cubing.net" + $location.url();
if ($location.url().indexOf("?") !== -1) {
$scope.share_url += '&view=playback';
}

0 comments on commit 743abaa

Please sign in to comment.