From 177a5e94a60d9c27a8831a1d63211ffe6f6a83a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9o=20Colombaro?= Date: Fri, 3 Jan 2020 19:34:40 +0100 Subject: [PATCH] Improve HSTS documentation Ref: https://github.com/h5bp/server-configs-apache/pull/196 --- h5bp/security/strict-transport-security.conf | 41 +++++++++----------- 1 file changed, 18 insertions(+), 23 deletions(-) diff --git a/h5bp/security/strict-transport-security.conf b/h5bp/security/strict-transport-security.conf index d6f49f1..c9e8f51 100644 --- a/h5bp/security/strict-transport-security.conf +++ b/h5bp/security/strict-transport-security.conf @@ -2,42 +2,37 @@ # | HTTP Strict Transport Security (HSTS) | # ---------------------------------------------------------------------- -# Force client-side SSL redirection. +# Force client-side TLS (Transport Layer Security) redirection. # # If a user types `example.com` in their browser, even if the server redirects # them to the secure version of the website, that still leaves a window of # opportunity (the initial HTTP connection) for an attacker to downgrade or # redirect the request. # -# The following header ensures that browser will ONLY connect to your server +# The following header ensures that browser only connects to your server # via HTTPS, regardless of what the users type in the browser's address bar. # -# (!) Be aware that this, once published, is not revokable and you must ensure -# being able to serve the site via SSL for the duration you've specified -# in max-age. When you don't have a valid SSL connection (anymore) your -# visitors will see a nasty error message even when attempting to connect -# via simple HTTP. +# (!) Be aware that Strict Transport Security is not revokable and you +# must ensure being able to serve the site over HTTPS for the duration +# you've specified in the `max-age` directive. When you don't have a +# valid TLS connection anymore (e.g. due to an expired TLS cerfiticate) +# your visitors will see a nasty error message even when attempting to +# connect over HTTP. # -# (!) Remove the `includeSubDomains` optional directive if the website's -# subdomains are not using HTTPS. +# (1) Preloading Strict Transport Security. +# To submit your site for HSTS preloading, it is required that: +# * the `includeSubDomains` directive is specified +# * the `preload` directive is specified +# * the `max-age` is specified with a value of at least 31536000 seconds +# (1 year). +# https://hstspreload.org/#deployment-recommendations # -# (1) If you want to submit your site for HSTS preload (2) you must -# * ensure the `includeSubDomains` directive to be present -# * the `preload` directive to be specified -# * the `max-age` to be at least 31536000 seconds (1 year) according to the -# current status. -# -# It is also advised (3) to only serve the HSTS header via a secure -# connection. -# -# (2) https://hstspreload.org/ -# (3) https://tools.ietf.org/html/rfc6797#section-7.2 -# -# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security # https://tools.ietf.org/html/rfc6797#section-6.1 +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security # https://www.html5rocks.com/en/tutorials/security/transport-layer-security/ # https://blogs.msdn.microsoft.com/ieinternals/2014/08/18/strict-transport-security/ +# https://hstspreload.org/ add_header Strict-Transport-Security "max-age=16070400; includeSubDomains" always; -# (1) or if HSTS preloading is desired (respect (2) for current requirements): +# (1) Enable your site for HSTS preload inclusion. # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;