• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Support Strict-Transport-Security at xenforo.com

Puntocom

Well-known member
#1
Not Using Strict-Transport-Security
This website is not using HSTS, also known as Strict Transport Security. HSTS is a special HTTP response header, sent by the web server on content served over SSL, which tells the browser to always use SSL when talking to this website. HSTS not only adds security, but improves performance since your visitors will always exclusively use the SSL version of your website, allowing them to also use SPDY.

Supporting this you would get A+ instead of A at www.ssllabs.com

It can be solved adding this to nginx.conf:
Code:
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
 

Tracy Perry

Well-known member
#2
And not everybody wants to use HSTS - as it can cause problems if you decide to revert back to a non SSL setup.
And doing it just to get an A+ instead of an A is not reason enough for a lot of people.
And if you are going to really do it right, add the preload to it and get with Google for inclusion into their preload list.
 
Last edited:

Puntocom

Well-known member
#3
Thanks. This is what I'm using now:
Code:
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;