1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Support Strict-Transport-Security at xenforo.com

Discussion in 'General XenForo Discussion and Feedback' started by Puntocom, Jul 23, 2015.

  1. Puntocom

    Puntocom Well-Known Member

    Not Using Strict-Transport-Security
    This website is not using HSTS, also known as Strict Transport Security. HSTS is a special HTTP response header, sent by the web server on content served over SSL, which tells the browser to always use SSL when talking to this website. HSTS not only adds security, but improves performance since your visitors will always exclusively use the SSL version of your website, allowing them to also use SPDY.

    Supporting this you would get A+ instead of A at www.ssllabs.com

    It can be solved adding this to nginx.conf:
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
    batpool52! likes this.
  2. Tracy Perry

    Tracy Perry Well-Known Member

    And not everybody wants to use HSTS - as it can cause problems if you decide to revert back to a non SSL setup.
    And doing it just to get an A+ instead of an A is not reason enough for a lot of people.
    And if you are going to really do it right, add the preload to it and get with Google for inclusion into their preload list.
    Last edited: Jul 24, 2015
    maszd, Puntocom and HWS like this.
  3. Puntocom

    Puntocom Well-Known Member

    Thanks. This is what I'm using now:
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;

Share This Page