HSTS all your HTTPS servers
Just a quick post about HTTP Strict Transport Security (HSTS) and how easy it was to enable it for this domain, running on NGINX.
Basically, stick the following line in the /etc/nginx/sites-available/my-site
file, in the SSL server block.
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
Then reload the config with something like sudo service nginx reload
.
On the back of some recent news articles about some cunning naughty hacks involving hijacking websites which have both HTTP and HTTPS versions, I read up on HSTS on the invaluable MDN site. Following that I found a handy blog from the NGINX team about configuring NGINX for HSTS.
The idea is that by sticking this STS header in responses to the HTTPS variant of a site, you’re telling browsers they should always request the HTTPS variant, even if the user or another link says to use the HTTP variant. The browser stores that info for the duration you set and won’t make HTTP requests to your site in that time.
From start to end, updating the config for this site took about 10 mins, 15 if you include clearing browser caches and re-testing the site to check the new header was present.
If you’re running an HTTPS website, go on, get it updated to add this header. It’s a 10 min job and it addresses a fairly nasty site hijacking attack.
One minor warning - take note of the comments about that max-age
size. Once a
browser sees that header, it’s going to be requesting the HTTPS version of your
site until that time has passed.
So to start with, set it to something small, like 300 (5 mins). Then do your reload and check it all works. Then maybe boost it to 3600 (1 hour) and leave it there until you’ve had enough live traffic through to know it’s working.
The big number in the code above is about 1 year, so if I turn off the HTTPS version of this site (and keep the HTTP version), for the next year some browsers will still make requests for the HTTPS version and refuse to fall back to the HTTP version.