This is a mirror of official site: http://jasper-net.blogspot.com/

Enabling HTTP Strict Transport Security on debian servers

| Thursday, February 10, 2011
I just enabled HTTP Strict Transport Security (HSTS) markers on a bunch of web servers that offer HTTPS.

It's an easy step to take, and it means that users of HSTS-compliant browsers (such as Chromium and the upcoming Firefox 4) or browsers with HSTS-compliant extensions (like Firefox's NoScript or HTTPS-Everywhere) will no longer be vulnerable to attacks like sslstrip once they have made one successful connection to the HSTS-enabled HTTPS web site.

It's not a perfect solution, but it is far better than the current situation. And it's easy to implement for websites that already use HTTPS.

For sites using apache, just enable mod_headers (on debian, that's: a2enmod headers) and add the following line to your HTTPS vhost stanza:

Header add Strict-Transport-Security: "max-age=15768000"

Depending on your setup, you may want to add the semicolon-delimited argument includeSubdomains, like this:

Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"

(note that the number of seconds above is roughly 6 months -- this is the duration that compliant clients will retain the protection).

Read more: Debian Administration

Posted via email from Jasper-net

0 comments: