Learn about Centmin Mod LEMP Stack today
Become a Member

SSL HSTS (HTTP Strict Transport Security)

Discussion in 'Domains, DNS, Email & SSL Certificates' started by pamamolf, Sep 26, 2015.

  1. pamamolf

    pamamolf Well-Known Member

    2,533
    231
    63
    May 31, 2014
    Ratings:
    +394
    Local Time:
    5:29 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Hi

    I want to ask about HSTS (HTTP Strict Transport Security) if it is in used by default now with the http2 or not?

    Do i have to do something to enable it for my domain ?

    Thanks
     
  2. eva2000

    eva2000 Administrator Staff Member

    29,035
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,784
    Local Time:
    12:29 PM
    Nginx 1.13.x
    MariaDB 5.5
    it's commented out by default in centmin.sh menu option 2 generated self-signed ssl vhosts as enabling it will force visitor's repeat visitors to go to https for duration of max-age.
     
  3. pamamolf

    pamamolf Well-Known Member

    2,533
    231
    63
    May 31, 2014
    Ratings:
    +394
    Local Time:
    5:29 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    But isn't good to use if i use already https to avoid MITM attacks?
     
  4. eva2000

    eva2000 Administrator Staff Member

    29,035
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,784
    Local Time:
    12:29 PM
    Nginx 1.13.x
    MariaDB 5.5
    Yes but folks would need to work out properly http to https redirect for their sites which isn't enabled by default either. If they set redirect for http to https incorrectly and enabled HSTS for their site, all visitors will be stuck in https mode for duration of HSTS max-age which is 1yr and it's cached in visitor browser. So you can't change it on your web server end to fix the problem. All your visitors would need to empty their browser cache's
     
    Last edited: Sep 26, 2015
    • Informative Informative x 1