The HTTP Strict Transport Security header

This is a HTTP header sent by a web server which tells browsers only to request secure (HTTPS) URLs from you website.

So instead of using http://example.com/assst, a browser will automatically use https://example.com/asset instead.

This 'only request secure assets' status for your site is cached by browsers for a period of time.

Once you've been using it for a while, and are sure your website works with HTTPS, you can add your site to Google's preload list, which is used by all other browsers.

In Apache on your old, unsecure website.

For testing (server config, virtual host or .htaccess)


# temp redirect to my shiny new secure website
Redirect / https://www.example.com

# (browsers should cache for 1 hour)
Header set Strict-Transport-Security "max-age=3600"


Permanent solution (server config, virtual host)


# The 301 code tells browsers and search engines its a permanent move
Redirect 301 / https://www.example.com

# Set a long cache duration, include sub domains, so eligible for the preload list
Header always set Strict-Transport-Security "max-age=10886400; includeSubdomains; preload"


See a full description. This also shows how to do it on NginX.

No comments:

Post a Comment