Want to subscribe to topics you're interested in?
Become a Member

SSL HSTS (HTTP Strict Transport Security)

Discussion in 'Domains, DNS, Email & SSL Certificates' started by pamamolf, Sep 26, 2015.

  1. pamamolf

    pamamolf Premium Member Premium Member

    4,068
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    9:14 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    Hi

    I want to ask about HSTS (HTTP Strict Transport Security) if it is in used by default now with the http2 or not?


    Do i have to do something to enable it for my domain ?

    Thanks
     
  2. eva2000

    eva2000 Administrator Staff Member

    53,190
    12,113
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,649
    Local Time:
    4:14 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    it's commented out by default in centmin.sh menu option 2 generated self-signed ssl vhosts as enabling it will force visitor's repeat visitors to go to https for duration of max-age.
     
  3. pamamolf

    pamamolf Premium Member Premium Member

    4,068
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    9:14 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    But isn't good to use if i use already https to avoid MITM attacks?
     
  4. eva2000

    eva2000 Administrator Staff Member

    53,190
    12,113
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,649
    Local Time:
    4:14 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yes but folks would need to work out properly http to https redirect for their sites which isn't enabled by default either. If they set redirect for http to https incorrectly and enabled HSTS for their site, all visitors will be stuck in https mode for duration of HSTS max-age which is 1yr and it's cached in visitor browser. So you can't change it on your web server end to fix the problem. All your visitors would need to empty their browser cache's
     
    Last edited: Sep 26, 2015