to dirprocess: SSL and HSTS on apache                                            rev 8 jun 2021

Category: server


.........................
What is SSL?



.........................
What is TLS?


.........................
What is HSTS?

HSTS stands for HTTP Strict Transport Security. It is a method
used by websites to declare that they should only be accessed using
a secure connection (HTTPS). If a website declares an HSTS policy,
the browser must refuse all HTTP connections and prevent users from
accepting insecure SSL certificates.
... was defined as a web security standard in 2012 in RFC 6797
  https://www.acunetix.com/blog/articles/what-is-hsts-why-use-it/
  may 2019

Why HSTS?
  By default redirecting HTTP requests to HTTPS leaves the
  possibility for a MITM style attack to intercept the initial
  request. The HTTP Strict-Transport-Security (HSTS) header attempts
  to resolve this, once a supported web browser sees the HSTS header
  it knows that the website has been configured to use HTTPS and will
  send all future requests over HTTPS rather than HTTP.
  https://www.reddit.com/r/firefox/comments/8jtkjf/how_do_i_bypass_hsts/
  2018


.........................
HSTS through cPanel/WHM:

  * How to enable HSTS/Content Security Policy on a cPanel server. 
      -- James Wright
      january 2021
      https://support.cpanel.net/hc/en-us/articles/360055614293-How-to-enable-HSTS-Content-Security-Policy-on-a-cPanel-server

  * Enable HSTS on cPanel & WHM interface?
      oct 2019
      https://forums.cpanel.net/threads/enable-hsts-on-cpanel-whm-interface.660685/


.........................
HSTS in .htaccess:

  * Include this to .htaccess file:
      # Security header Enable HSTS
      Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
      3 oct 2019
      https://forums.cpanel.net/threads/enable-hsts-on-cpanel-whm-interface.660685/
      Requiring https and valid cert.


.........................
making browser access an HSTS site:

  https://duckduckgo.com/?q=how+to+bypass+HSTS+in+firefox

  Much easier in Chrome. 

  https://w-se.com/how-to-disable-hsts-in-chrome-firefox/
    Good instructions, and explanation of HSTS/SSL.
    -- Melina Richardson
    feb 2021
    But - tried it for chrome, didn't work  
      (ip address was in my hosts file, not dns.
       the chrome net-internals page didn't seem to fully load.
       So either of those could be the issue.)


.......................................................
➽  links and resources: 





_______________________________________________________
begin 8 jun 2021
-- 0 --