View Single Post
Old 12. Mar 2019, 12:55 AM   #11 (permalink)
Sea Mac
Senior Member
 
Sea Mac's Avatar
 
Join Date: Apr 2008
Location: Body: San Diego | Mind: Lost | Heart: With You
Posts: 582
Implementation Try HTTP Strict Transport Security (HSTS) first ...

Quote:
Originally Posted by Remah View Post
Many websites redirect http to https automatically. This is the only one I use regularly that doesn't do this automatically.

It is slightly jarring when I'm logged in to see the padlock disappear in my web browser. But then the solution MaiKL suggested is available to all of us: edit our bookmarks so http becomes https.

P.S. The actual security not a real concern for me but, on reflection, automatic redirection would be the best solution. It is not a good look to be commenting on security and then leave this issue outstanding for the many users who arrive via other sites following "http" links.
If I may make a suggestion ...

Last July, when Chrome started actively warning about sites that used only HTTP ... as "Security Risks" ... and I started having a REASON to secure my 5 domains ... I peeked into my cPanel and found out that my Hosting Provider fully supported ACME and "Let's Encrypt" and there were shiny new SSL Certificates just begging to be used in there.

So I told the cPanel something like "Yes, let's start using the security already offered FOR FREE." (Free is good.)

And, just like that, I had HTTPS and HTTP both Operating smoothly.

But then, I had the SAME Issue that now faces this fine site: I have been "Insecure" for a decade or more ... so HOW do I get them all to use ONLY My SECURE Links, now?

And the Answer IS: HSTS !

I SSH into the root of my Hosting plan - and add this to my .htaccess file:

Code:
Header set Strict-Transport-Security "max-age=604800" env=HTTPS
Whereby my server DEMANDS of compatible connecting clients that - for the next MONTH - They NOT Request any HTTP "Unsecured" resources from it. EVEN IF you doctor your URLs in the address bar and "Strip" off the "S" from the "HTTPS" to TRY to get the insecure version of the page ... HA-Ha-ha! ... (Foiled!) The SERVER nails that "S" back ON the URL before servicing the page request!

Read the support article from my Hosting Provider - that I linked to up there: then pop into your hosting plan and "Write" the 'Header set' command into the .htaccess file(s) of the root(s) of your Domains. And, you're Done.
__________________
"Software Santa" owes a debt of thanks to Tech Support Alert. Thank You.
Sea Mac is offline   Reply With Quote