XF 1.4 About Email confirmation accounts (with https) and HSTS for improve security

[Andros]

Hello:

I have got two questions I would like to ask.

My website works with https, however when a new user registers he recieves in an email a link with http, even though it gets redirected to https when he uses it. What I need is to make that http appear as the https it actually is.

The second question is about how can I install HSTS (Strict Transport Security) in my xenforo. I use Nginx and I would like to use it.

You can see about HSTS at this http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

It is possible?

Thanks

 

[Paul B]

What do you have set for the board URL in the ACP?

Ensure it is using HTTPS.

 

[Andros]

Where is the option Brogan at Xenforo General Settings?

And HSTS is possible implemmenting it?

Thanks in advance.

 

[Paul B]

Enter 'board URL' in ACP search to locate the option.

No idea on HSTS, I've never heard of it.

 

[Andros]

Ok change with s, i test that it works correctly now.

Thanks, i don't know if mike or another dev or user know how to implemment hsts with nginx.

 

[Mike]

You should be setting up HSTS within your Nginx config directly: https://scotthelme.co.uk/setting-up-hsts-in-nginx/

 

[Andros]

I will try what you said and tell you my experience afterwards.

Thanks.

 

[TPerry]

Place

add_header Strict-Transport-Security max-age=31536000;

in your vhost definition where you have the other SSL settings configured then restart nginx.

If you are also serving subdomains from that vhost (I do each one as an individual vhost personally) you can place

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";