Author

Topic: HSTS implementation to improve HTTPS in bitcointalk (Read 508 times)

rme
hero member
Activity: 756
Merit: 504
Up
rme
hero member
Activity: 756
Merit: 504
I know I have suggested this two times but I consider it necessary.



Please enable HSTS to avoid sslstrip or a MITM replacing the http page.
https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

With PHP check if the page is been served in HTTP, if so redirect to HTTPS.
In HTTPS set the HSTS header:
Code:
header("strict-transport-security: max-age=31536000");
(Example implementation in PHP).

That tells the browser to only use the HTTPS versión of bitcointalk.org for a year (31536000 seconds).
So, my browser will go directly to https even if I have no internet conection.
Jump to: