301 .htaccess中的重定向和HSTS

Question

I've changed a site to https and have set up a redirect in .htaccess. But I've also set Strict Transport Security. Are both necessary or useful?

<IfModule mod_headers.c>
     Header always set Strict-Transport-Security "max-age=16070400"
</IfModule>

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
</IfModule>

Cheers

Answer 1

A redirect tells people who enter http://www.example.com to go to https://www.example.com . Since the default is http, if you leave off the protocol and just type www.example.com then you will go to http://www.example.com so yes you need this redirect.

There's a few problems with this though.

First up http is insecure and can be read, and altered by other people on the network. That's the very reason you should use https. However, as http is insecure, that means they could intercept your redirect and keep you on http version and continue to intercept your traffic. Or alternatively redirect you to https://www.evilexample.com instead.

HTTP Strict Transport Security (or HSTS) is a security mechanism which attempts to address this issue. Your server tells the browser to ALWAYS use https for that site. Even if the don't type the protocol (when http would normally be used) and even if you DO type the protocol as http.

Once a browser has loaded HSTS for a site it will not even send a http request at all and will automatically change these to https instead. This has several advantages:

1. It's more secure as it cannot be intercepted.
2. It's quicker as doesn't waste time sending a request to http://www.example.com just to be told to go to https://www.example.com .
3. It can be used to address mixed content errors as http resources (for that site only but not loaded from other sites) will automatically be changed if you accidentally include a http source. Content Security Policy's upgrade-insecure-requests is probably a better solution for that but HSTS still provides a basic version.

Also as the other answer stated another separate benefit is that this setting also means browsers will not allow visitors to click through certificate errors for this site which adds extra security against attacks.

The main downsides of HSTS are that:

1. Your site needs to be https only - which may seem obvious but easy to miss part of the site on http only. Or a subdomain on http if using includeSubdomain option.
2. The visitor needs to visit the site first to pick up the HSTS policy though you can preload this into browsers but that's not a decision to be taken likely.
3. Browser support is not universal yet. And even if it was crawlers used by search engines and the like probably wouldn't use it.

So hopefully that explains why HSTS is a good thing and is something you should keep. On top of the redirect.

Answer 2

Yes! You should keep both of them. From OWASP docs , there're many benifits to use HSTS. Eg:

• automatically redirects HTTP requests to HTTPS.

• prevent user from overridding invalid certificate message.

Answer 3

I think you should have a look on this documentation https://varvy.com/pagespeed/hsts.html which says:
It is basically like a 301 redirect, but at the browser level, rather than the webpage level. It is superior to a 301 redirect as it can be implemented to always only use https, whereas 301 redirects are actually unsecure when first seen by a browser.

After reading the documentation, you can decide about it.