hsts

I'm setting up site-wide HTTPS for my Django 1.8 project. I am not experienced in web security. I'm setting up HTTP to HTTPS redirect and HSTS. Right now, I was configuring this on my Apache/mod_wsgi Web Server (I'm using a PaaS so I configure it through the .htaccess file on the WSGI root): wsgi/.htaccess # Redirect HTTP to HTTPS RewriteEngine on RewriteCond %{HTTP:X-Forwarded-Proto} !https RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R,L] # Add HSTS header Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" # Deny rendering inside an iframe Header

We like to enable HSTS to our IIS deployed web application. We have SSL terminating ELB Application load balancer. We have enabled the URL rewrite module in IIS and configured the x-Forward-Proto tag to decide and enable HSTS header in the response. Presently, ALB does not appear to pass custom headers from IIS to the ALB, to the end-user. We wanted to see if there is a way to enable HSTS either at ALB level where it can accept custom headers or if it can be set at IIS level and ALB can pass through the HSTS headers to the browser? HSTS is a policy that is controlled by the backend and not by

I have followed the article https://docs.spring.io/spring-security/site/docs/4.0.2.RELEASE/reference/html/headers.html#headers-hsts to enable HSTS header on my spring boot application. Despite of making the required changes, Strict-Transport-Security header is not appearing the response. pom.xml (dependencies) <dependencies> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-actuator</artifactId> </dependency> <dependency> <groupId>org

I am implementing a nodejs application using sails.js . I want my user to communicate only through https. So for doing that I need to configure my server my way so that with each response it will add a header "Strict-Transport-Security", "max-age=31536000" to tell browser to communicate with HSTS only. Now how I can modify every response header that I am going to send from sails js.I searched the documentation but did not found any help. Policies are only applied to the controllers that you explicitly assign them to in config/policies.js . Instead of using a policy, try adding an express

Let me explain a real world situation here. I run the website https://www.liloo.ro and I want to enable HSTS (+HSTS preload) for it. The problem is that in order to submit it to the preload list the main domain has to respond with a HSTS header. Let me be more precise: In order to submit a site to the preload list and meet the requirements the first redirect has to be to the https version of the main domain. In my case I can't redirect from http directly to https + www -> I have to redirect first from http to https (serve the main domain name HSTS header here) and redirect once again to https