Skip to content

Loading…

Add boilerplate for Strict-Transport-Security headers. #1266

Closed
wants to merge 1 commit into from

5 participants

@mikewest

Strict-Transport-Security headers allow a site to specify that it should only be visited over a secure connection. This addresses the risk of an active network attacker stripping SSL from a user's connection, or redirecting the user in the window of opportunity presented by a redirected HTTP request.

@reecekol

Would this only allow users to access via https ?

@mikewest

That's correct. If you're serving a site via HTTPS, sending this header means that users will never ever ever visit it over HTTP. That has some distinct security/privacy benefits.

@necolas
H5BP member

Thanks again Mike. We're in the process of moving the development of the Apache configuration to be led by the @h5bp/server-configs team. It might end up that this issue is moved over there if that migration happens some time soon. But either way, I hope you can stay involved in helping everyone continue to improve these configs!

@mikewest

No worries. Would you mind pinging the bug when it's relevant to kick off the conversation again?

@AD7six AD7six added a commit to h5bp/server-configs that referenced this pull request
@AD7six AD7six add strict transport security config 0910576
@AD7six
H5BP member

@mikewest I think that's fine personally - can you PR that to h5bp-server-configs so it can be (probably without contest) reviewed and merged? I've already added the equivalent config for nginx in anticipation

@mikewest mikewest added a commit to mikewest/server-configs that referenced this pull request
@mikewest mikewest Add boilerplate for Strict-Transport-Security headers.
Migrated to this repo from h5bp/html5-boilerplate#1266.
b9f101f
@mikewest mikewest referenced this pull request in h5bp/server-configs
Closed

Add boilerplate for Strict-Transport-Security headers. #106

@mikewest

Done, thanks!

@alrra alrra closed this
@alrra alrra added a commit to h5bp/server-configs that referenced this pull request
@mikewest mikewest Add boilerplate for Strict-Transport-Security headers.
Migrated to this repo from h5bp/html5-boilerplate#1266.
1c01c19
@alrra alrra referenced this pull request
Commit has since been removed from the repository and is no longer available.
@alrra alrra pushed a commit to h5bp/server-configs-apache that referenced this pull request
@mikewest mikewest Add boilerplate for Strict-Transport-Security headers.
Migrated to this repo from h5bp/html5-boilerplate#1266.
d76bb11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Nov 26, 2012
  1. @mikewest
This page is out of date. Refresh to see the latest.
Showing with 15 additions and 0 deletions.
  1. +15 −0 .htaccess
View
15 .htaccess
@@ -414,6 +414,21 @@ FileETag None
# ----------------------------------------------------------------------
+# Force client-side SSL redirection
+# ----------------------------------------------------------------------
+
+# If a user types "example.com" in her browser, the above rule will redirect her
+# to the secure version of the site. That still leaves a window of opportunity
+# (the initial HTTP connection) for an attacker to downgrade or redirect the
+# request. The following header ensures that browser will **only** connect to
+# your server via HTTPS, regardless of what users type in the address bar.
+
+# <IfModule mod_headers.c>
+# Header set Strict-Transport-Security max-age=16070400;
+# </IfModule>
+
+
+# ----------------------------------------------------------------------
# Prevent 404 errors for non-existing redirected folders
# ----------------------------------------------------------------------
Something went wrong with that request. Please try again.