1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.4 About Email confirmation accounts (with https) and HSTS for improve security

Discussion in 'XenForo Questions and Support' started by Andros, Feb 15, 2015.

  1. Andros

    Andros Member


    I have got two questions I would like to ask.

    My website works with https, however when a new user registers he recieves in an email a link with http, even though it gets redirected to https when he uses it. What I need is to make that http appear as the https it actually is.

    The second question is about how can I install HSTS (Strict Transport Security) in my xenforo. I use Nginx and I would like to use it.

    You can see about HSTS at this http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

    It is possible?

  2. Brogan

    Brogan XenForo Moderator Staff Member

    What do you have set for the board URL in the ACP?

    Ensure it is using HTTPS.
  3. Andros

    Andros Member

    Where is the option Brogan at Xenforo General Settings?

    And HSTS is possible implemmenting it?

    Thanks in advance.
  4. Brogan

    Brogan XenForo Moderator Staff Member

    Enter 'board URL' in ACP search to locate the option.

    No idea on HSTS, I've never heard of it.
  5. Andros

    Andros Member

    Ok change with s, i test that it works correctly now.

    Thanks, i don't know if mike or another dev or user know how to implemment hsts with nginx.
  6. Mike

    Mike XenForo Developer Staff Member

    Andros likes this.
  7. Andros

    Andros Member

    I will try what you said and tell you my experience afterwards.

  8. Tracy Perry

    Tracy Perry Well-Known Member

    add_header Strict-Transport-Security max-age=31536000;
    in your vhost definition where you have the other SSL settings configured then restart nginx.

    If you are also serving subdomains from that vhost (I do each one as an individual vhost personally) you can place
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

Share This Page