Force https with HTTP Strict Transport Security (HSTS)

Jul 14, 2021 by Thibault Debatty | 2124 views

Secure Software Development

https://cylab.be/blog/156/force-https-with-http-strict-transport-security-hsts

Once you have https enabled for your website (with Letsencrypt for example), you should make sure all your users use the secure version of the site. Typically this done using a redirect. However this still leaves a window of opportunity (the initial HTTP connection) for an attacker to downgrade or redirect the request. With a Strict Transport Security header, you can force a browser to only connect to your server using HTTPS.

Photo by Rob King on Unsplash

This header has a max-age value, that defines for how long this directive is enforced. This also means that HSTS is not revokable for as long as you’ve specified in the max-age directive. If you don’t have a valid TLS connection anymore (e.g. due to an expired TLS certificate) your visitors will see an error message even when attempting to connect over HTTP.

Here is a simple example, that you should add to your .htaccess:

<IfModule mod_headers.c>
  # https://cylab.be/blog/156/force-https-with-http-strict-transport-security-hsts
  Header set Strict-Transport-Security "max-age=604800"
</IfModule>

It will force https for 1 week (604800 seconds).

This blog post is licensed under CC BY-SA 4.0

Unit testing C code

C Secure Software Development

Jun 6, 2023 | 5543 views
Hardening Apache

Secure Software Development

Dec 6, 2022 | 1219 views
Secure Cookies with Laravel

Secure Software Development Laravel PHP

Feb 24, 2022 | 12169 views
This website uses cookies. More information about the use of cookies is available in the cookies policy.
Accept