Topic: HSTS implementation to improve HTTPS in bitcointalk (Read 496 times)
Up
I know I have suggested this two times but I consider it necessary.
Please enable HSTS to avoid sslstrip or a MITM replacing the http page.
https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
With PHP check if the page is been served in HTTP, if so redirect to HTTPS.
In HTTPS set the HSTS header:
(Example implementation in PHP).
That tells the browser to only use the HTTPS versión of bitcointalk.org for a year (31536000 seconds).
So, my browser will go directly to https even if I have no internet conection.
Please enable HSTS to avoid sslstrip or a MITM replacing the http page.
https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
With PHP check if the page is been served in HTTP, if so redirect to HTTPS.
In HTTPS set the HSTS header:
Code:
header("strict-transport-security: max-age=31536000");That tells the browser to only use the HTTPS versión of bitcointalk.org for a year (31536000 seconds).
So, my browser will go directly to https even if I have no internet conection.
Jump to: