Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Pages: 1
HTTP HSTS and SSL
Security is a very important topic.
A very well explanation about “Strict Transport Security” for HTTPS from the Mozilla MDN documentation here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security (In french here: https://developer.mozilla.org/fr/docs/S%C3%A9curit%C3%A9/HTTP_Strict_Transport_Security).
Some usefull informations here too: https://support.servertastic.com/knowledgebase/article/http-strict-transport-security-php.
I tried to send header in PHP with the help of the new (and excellent) <txp:header />
tag available in the upcoming TXP 4.7 version but it occurs some problems in very old browsers (e.g. Internet Explorer 7).
Best solution is to declare a such HTTP request within your .htaccess
file (tested within oldies Firefox 1 and Netscape 7.1 for PC without any access damages):
# Force https HSTS connections for 180 days
Header always set Strict-Transport-Security "max-age=15552001; includeSubDomains; preload" env=HTTPS
Last edited by Pat64 (2018-01-31 08:57:19)
Patrick.
Github | CodePen | Codier | Simplr theme | Wait Me: a maintenance theme | [\a mi.ni.ma]: a “Low Tech” simple Blog theme.
Offline
Re: HTTP HSTS and SSL
FYI, here’s the security settings I use within the forum .htaccess
file, which gives us a good score at securityheaders.io.
# HSTS.
Header set Strict-Transport-Security "max-age=16070400"
# Referrer Policy.
Header always set Referrer-Policy "no-referrer-when-downgrade"
# Content Security Policy.
Header unset P3P
Header append X-XSS-Protection "1; mode=block"
Header append X-Content-Type-Options "nosniff"
Header append Content-Security-Policy "default-src 'self'; connect-src 'self' https://syndication.twitter.com; font-src textpattern.io https://textpattern.io; img-src 'self' data: * https://*; style-src 'self' 'unsafe-inline' gist.github.com *.twitter.com *.twimg.com https://gist.github.com https://*.twitter.com https://*.twimg.com; script-src 'self' code.jquery.com gist.github.com cdnjs.cloudflare.com *.twitter.com *.twimg.com https://code.jquery.com https://gist.github.com https://cdnjs.cloudflare.com https://*.twitter.com https://*.twimg.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; frame-src *.youtube-nocookie.com https://*.youtube-nocookie.com *.twitter.com https://*.twitter.com twitter.com https://twitter.com https://www.google.com/recaptcha/"
# Expect-CT (TODO: currently in testing).
Header set Expect-CT "max-age=0; report-uri=https://forum.textpattern.com/expect-ct-report"
I don’t support browsers lower than IE11, so it might or might not work in IE10 and lower, but I’ve never had any complaints (not that I would care, since nobody should be using IE10 or lower anyway).
Offline
Re: HTTP HSTS and SSL
Wow pat, you test quite deeply – Netscape, really ?
And FWIW, Hosting companies are slowly dropping TLS level 1, which means that most older browsers won’t be able to access sites served over HTTPS. DreamHost turned it off yesterday. A Japanese hosting company I use will turn it off in a couple of weeks.
Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern
Offline
Re: HTTP HSTS and SSL
@Philippe:
Yep. Try my website (currently in re-development): works in Netscape 7.1 and probably into Internet Explorer 6 minimum, too :D
Patrick.
Github | CodePen | Codier | Simplr theme | Wait Me: a maintenance theme | [\a mi.ni.ma]: a “Low Tech” simple Blog theme.
Offline
Re: HTTP HSTS and SSL
in nginx I use something like that in an extra file, which is embedded in configs with https.
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=31536000; preload";
and generell https configs like that:
ssl on;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
ssl_dhparam /etc/nginx_front/dhparam.pem;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 4h;
ssl_prefer_server_ciphers on;
ssl_session_tickets on;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
resolver 127.0.0.1 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 1s;
SSL Labs gives my sites A+ grades.
I have not configured yet Referrer-Policy
and Content-Security-Policy
.
Offline
Pages: 1