to dirprocess: SSL and HSTS on apache rev 8 jun 2021
Category: server
.........................
What is SSL?
.........................
What is TLS?
.........................
What is HSTS?
HSTS stands for HTTP Strict Transport Security. It is a method
used by websites to declare that they should only be accessed using
a secure connection (HTTPS). If a website declares an HSTS policy,
the browser must refuse all HTTP connections and prevent users from
accepting insecure SSL certificates.
... was defined as a web security standard in 2012 in RFC 6797
https://www.acunetix.com/blog/articles/what-is-hsts-why-use-it/
may 2019
Why HSTS?
By default redirecting HTTP requests to HTTPS leaves the
possibility for a MITM style attack to intercept the initial
request. The HTTP Strict-Transport-Security (HSTS) header attempts
to resolve this, once a supported web browser sees the HSTS header
it knows that the website has been configured to use HTTPS and will
send all future requests over HTTPS rather than HTTP.
https://www.reddit.com/r/firefox/comments/8jtkjf/how_do_i_bypass_hsts/
2018
.........................
HSTS through cPanel/WHM:
* How to enable HSTS/Content Security Policy on a cPanel server.
-- James Wright
january 2021
https://support.cpanel.net/hc/en-us/articles/360055614293-How-to-enable-HSTS-Content-Security-Policy-on-a-cPanel-server
* Enable HSTS on cPanel & WHM interface?
oct 2019
https://forums.cpanel.net/threads/enable-hsts-on-cpanel-whm-interface.660685/
.........................
HSTS in .htaccess:
* Include this to .htaccess file:
# Security header Enable HSTS
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
3 oct 2019
https://forums.cpanel.net/threads/enable-hsts-on-cpanel-whm-interface.660685/
Requiring https and valid cert.
.........................
making browser access an HSTS site:
https://duckduckgo.com/?q=how+to+bypass+HSTS+in+firefox
Much easier in Chrome.
https://w-se.com/how-to-disable-hsts-in-chrome-firefox/
Good instructions, and explanation of HSTS/SSL.
-- Melina Richardson
feb 2021
But - tried it for chrome, didn't work
(ip address was in my hosts file, not dns.
the chrome net-internals page didn't seem to fully load.
So either of those could be the issue.)
.......................................................
➽ links and resources:
_______________________________________________________
begin 8 jun 2021
-- 0 --