Chiloh

Chiloh Wei

一个尝试理解世界,理解自己的人
jike
twitter
HomeArchivesAbout

HSTS and Full-site HTTPS

#技术75
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The post discusses the implementation of HSTS (HTTP Strict Transport Security) and enabling full-site HTTPS on a website. The author explains the benefits of HSTS, which include forcing clients to use HTTPS and protecting the website from session hijacking risks. The steps to enable HSTS on an Nginx server are provided, along with instructions to enable full-site HTTPS on a Typecho-based website. The process involves updating the site address, modifying configuration files, replacing URLs with HTTPS, and redirecting HTTP to HTTPS. The author concludes by mentioning that the website will now display a secure HTTPS connection.

Yesterday, the certificate for my blog expired. While updating the certificate, I also checked the site's security on the MySSL website. Due to the lack of HSTS, the site only received an A rating instead of an A+. Therefore, I added HSTS to the blog and also enabled full-site HTTPS.

Enabling HSTS in Nginx#

HSTS, short for HTTP Strict Transport Security, is an internet security policy mechanism published by the Internet Engineering Task Force. Its main purposes are:

  • Forcing clients (such as browsers) to establish connections with servers using HTTPS
  • Protecting websites and reducing session hijacking risks

Enabling HSTS is simple. Taking a website deployed with LNMP as an example, first switch to the Nginx site configuration directory:

cd /usr/local/nginx/conf/

Then, find the configuration file for the site in the Nginx directory and open the domain.com.conf file. Under Server 443, add the following:

# HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

After performing the check again, you will notice that the rating has changed to A+:

HSTS

Enabling Full-site HTTPS#

Since some work on full-site HTTPS has already been done before, this time it is just a supplement and improvement. Here is a brief explanation, and you can search online for more detailed information.

  1. Log in to the Typecho backend -> Settings -> Basic Settings -> Site Address, and change it to the HTTPS domain.
  2. Edit the config.inc.php file in the Typecho site's root directory and add the following line of configuration:
/** Enable HTTPS */
define('__TYPECHO_SECURE__',true);
  1. Edit the comments.php file in the theme folder and replace $this->commentUrl() with:
echo str_replace("http","https",$this->commentUrl());
  1. Update the attachment URLs referenced by the site to HTTPS. Execute the following SQL database operation, where domain.com is the site's domain:
UPDATE `typecho_contents` SET `text` = REPLACE(`text`,'http://domain.com','https://domain.com');
  1. Redirect port 80 (HTTP) to port 443 (HTTPS) using the web server (Nginx) to enforce full-site HTTPS.
  2. Finally, open the Chrome browser and press F12 to see the prompt This page is secure (valid HTTPS).

HTTPS

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.