Site icon Voina Blog (a tech warrior's blog)

A+ Security for WordPress Blog – HTTP Strict Transport Security

Advertisements

Keeping the installation of your own WordPress blog highly secure is very important. In today’s fast pace discovery of security vulnerabilities you must keep an eye on all the new security threats and update as soon as possible the security to try to cover the new threat.
An invaluable tool is the security test from SSL Labs. This is a test that will check your web site against all the current threats discovered to jeopardise the integrity of your site.
I already posted a tutorial about securing a blog in the post “A” Rating Security – Strong SSL Security WordPress Blog.
To follow that in the next paragraph a new security threat is covered, the downgrading of security protocols to unsecure ones. This vulnerability can be avoided by enforcing “HTTP Strict Transport Security (HSTS)”.

HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections,[1] and never via the insecure HTTP protocol. HSTS is an IETF standards track protocol and is specified in RFC 6797.

The HSTS Policy[2] is communicated by the server to the user agent via an HTTP response header field named “Strict-Transport-Security”. HSTS Policy specifies a period of time during which the user agent should only access the server in a secure fashion.

from Wiki

To activate this alter the configuration file for the host (/etc/httpd/conf.d/blog.conf) from the previous post and add under the Virtualserver tag the following:



SSLEngine On
....
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
....

Interestingly enough I had to add this only to my WordPress host , it seems that the Owncloud 8 host already enforces this from the php code.

As a result of the above configuration again I have an A+ rating for the blog. See SSL Labs test for blog.voina.org

Exit mobile version