Approved HTTP Strict Transport Security (HSTS)

Kieran · Jul 26, 2017

Since I started playing with HTTP and HTTPS on my own server for some extra security and fun, I thought it would be nice to have HSTS on the r4p3 forum too.

It makes it more secure and will prevent cookie hijacking and downgrade attacks.
So you'll always be secure on R4P3.
Additionally, an idea would be to go a step further and use HSTS preload. https://hstspreload.org/

Adding HSTS is really easy so I can't really see anything against it.

Also, this would get R4P3 the A+ on SSLLabs

https://www.ssllabs.com/ssltest/analyze.html?d=r4p3.net&s=104.31.94.226&hideResults=on&latest

Kleberstoff · Jul 26, 2017

Kieran said:
Since I started playing with HTTP and HTTPS on my own server for some extra security and fun, I thought it would be nice to have HSTS on the r4p3 forum too.

It makes it more secure and will prevent cookie hijacking and downgrade attacks.
So you'll always be secure on R4P3.
Additionally, an idea would be to go a step further and use HSTS preload. https://hstspreload.org/

Adding HSTS is really easy so I can't really see anything against it.

Also, this would get R4P3 the A+ on SSLLabs
https://www.ssllabs.com/ssltest/analyze.html?d=r4p3.net&s=104.31.94.226&hideResults=on&latest

I don't see anything that would go against it. I would love to hear @Asphyxia's Opinion on it as well.

Kieran · Aug 3, 2017

R4P3 team, yes/no? Reason?

Asphyxia · Sep 11, 2017

We are also looking to add DNSSEC: http://dnssec-debugger.verisignlabs.com/r4p3.net#

We now have HSTS, see here: https://www.ssllabs.com/ssltest/analyze.html?d=r4p3.net&hideResults=on

Kieran · Sep 11, 2017

Asphyxia said:
We are also looking to add DNSSEC: http://dnssec-debugger.verisignlabs.com/r4p3.net#

We now have HSTS, see here: https://www.ssllabs.com/ssltest/analyze.html?d=r4p3.net&hideResults=on

Noice

dedmen · Sep 11, 2017

https://hstspreload.org/?domain=r4p3.net still not green tho

Kieran · Sep 11, 2017

dedmen said:
https://hstspreload.org/?domain=r4p3.net still not green tho

Preload is something different and not set up.
HSTS is enabled though.

Asphyxia · Sep 11, 2017

I think for preload every sub domain needs https, we could do that easily with certbot I guess

Kieran · Sep 11, 2017

Asphyxia said:
I think for preload every sub domain needs https, we could do that easily with certbot I guess

Wildcards for letsencrypt in january. Wont be a problem then

Asphyxia · Sep 11, 2017

Kieran said:
Wildcards for letsencrypt in january. Wont be a problem then

That will be very nice, I look forward to it!

Kieran · Sep 12, 2017

Asphyxia said:
That will be very nice, I look forward to it!

Yesss we all do! It will reduce my entries in my cert to 5 instead of 25 xD
Got many subdomains and I'm waiting for this feature for such a long time.

Preload sounds good. Never knowingly visited a site with preload before

Asphyxia · Sep 12, 2017

Kieran said:
Yesss we all do! It will reduce my entries in my cert to 5 instead of 25 xD
Got many subdomains and I'm waiting for this feature for such a long time.

Preload sounds good. Never knowingly visited a site with preload before

Same cert requirements make it hard

Approved HTTP Strict Transport Security (HSTS)

Kieran

Tag me

Kleberstoff

Knowledge Seeker

Kieran

Tag me

Asphyxia

Owner

Kieran

Tag me

dedmen

Kieran

Tag me

Asphyxia

Owner

Kieran

Tag me

Asphyxia

Owner

Kieran

Tag me

Asphyxia

Owner