Missing 'Strict-Transport-Security' Header in php

Jyotishgher Astrology
By -Jyotishgher Astrology
11:19 PM
0

 Missing 'Strict-Transport-Security' Header in php


The HTTP Strict Transport Security header informs the browser that it should never load a site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.


 Note: The Strict-Transport-Security header is ignored by the browser when your site has only been accessed using HTTP.

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps protect websites from malicious activities and informs user agents and web browsers how to handle its connection through a response header. Whenever a website connects through HTTP and then redirects to HTTPS, an opportunity for a man-in-the-middle attack is created and the redirect can lead the users to a malicious website because users first have to communicate with the non-encrypted version of the website. A server implements the HSTS policy by supplying a header over an HTTPS connection which informs the browser to load a site using HTTPS rather than HTTP.

<?php

header("strict-transport-security: max-age=600");

?>

Examples:

Strict-Transport-Security: max-age=3600; includeSubDomains

All pages and subdomains will be HTTPS for a max-age of 1 hour. This blocks access to pages or sub domains that cannot be served over HTTPS.

The HTTP Strict Transport Security header informs the browser that it should never load a site using HTTP and 

//should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.

Syntax:

Strict-Transport-Security: max-age=<expire-time>
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Strict-Transport-Security: max-age=<expire-time>; preload

Directives:

  • <expire-time>: This mentions the time in seconds for which the user agent or browser should only access the server in a secure fashion by using HTTP.
  • includeSubDomains: This directs the browser to apply the rule to all pages and sub-domains of the site as well.
  • preload: This is necessary for inclusion in most major web browsers’ HSTS preload lists.

Explanation: If a user type in an address bar http://www.geeksforgeeks.com/ or geeksforgeeks.com this will create a chance for a man-in-the-middle attack. The redirect could be exploited to direct visitors to a malicious site instead of the secure version of the original site.

Tags:
Jyotishgher Astrology

Jyotishgher Astrology

Place your burden at the feet of the Lord of the Universe who accomplishes everything. Remain all the time steadfast in the heart, in the Transcendental Absolute. God knows the past, present and future. He will determine the future for you and accomplish the work. What is to be done will be done at the proper time. Don’t worry. Abide in the heart and surrender your acts to the divine

    You Might Like

    Show more
    HTTP Strict Transport Security header

    Post a Comment

    0Comments

    Post a Comment (0)
    Share to other apps
    Copy Post Link