Approved HTTP Strict Transport Security (HSTS)

Kieran

Tag me
Contributor
Jan 1, 2016
459
286
122
Since I started playing with HTTP and HTTPS on my own server for some extra security and fun, I thought it would be nice to have HSTS on the r4p3 forum too.

It makes it more secure and will prevent cookie hijacking and downgrade attacks.
So you'll always be secure on R4P3.
Additionally, an idea would be to go a step further and use HSTS preload. https://hstspreload.org/

Adding HSTS is really easy so I can't really see anything against it.

Also, this would get R4P3 the A+ on SSLLabs :p
https://www.ssllabs.com/ssltest/analyze.html?d=r4p3.net&s=104.31.94.226&hideResults=on&latest
 

Kleberstoff

Knowledge Seeker
VIP
Dec 29, 2015
308
214
158
Since I started playing with HTTP and HTTPS on my own server for some extra security and fun, I thought it would be nice to have HSTS on the r4p3 forum too.

It makes it more secure and will prevent cookie hijacking and downgrade attacks.
So you'll always be secure on R4P3.
Additionally, an idea would be to go a step further and use HSTS preload. https://hstspreload.org/

Adding HSTS is really easy so I can't really see anything against it.

Also, this would get R4P3 the A+ on SSLLabs :p
https://www.ssllabs.com/ssltest/analyze.html?d=r4p3.net&s=104.31.94.226&hideResults=on&latest
I don't see anything that would go against it. I would love to hear @Asphyxia's Opinion on it as well.
 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
I think for preload every sub domain needs https, we could do that easily with certbot I guess
 

Kieran

Tag me
Contributor
Jan 1, 2016
459
286
122
That will be very nice, I look forward to it!
Yesss we all do! It will reduce my entries in my cert to 5 instead of 25 xD
Got many subdomains and I'm waiting for this feature for such a long time.

Preload sounds good. Never knowingly visited a site with preload before
 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
Yesss we all do! It will reduce my entries in my cert to 5 instead of 25 xD
Got many subdomains and I'm waiting for this feature for such a long time.

Preload sounds good. Never knowingly visited a site with preload before
Same cert requirements make it hard
 
Top