What's the best way to implement HSTS?


#1

I have just installed V4 with let’s encrypt and I would like get on the HSTS preload list: https://hstspreload.org

I am also using CloudFlare. As I know Cloudflare has settings for HSTS but would not work with my Let’s encrypt cert.

Any ideas to make it work with custom Nginx mod or htaccess or some tweaks?


#2

EEv4 satisfies 1-3 of the requirements (https://hstspreload.org/); for #4. add the following to user.conf :
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;


#3

@mrrobot47 is there a way we can get this added to the official EE4 install? Or is there some reason why it has been left out?


#4

Hi @zac

If I add that line to user.conf file will the changes be lost when a new EE v4 verson is released? Or updating EE will overwrite the user.conf file?

Also what is the exact location of the user.conf file?

Thanks


#5

Updating EE shouldn’t overwrite user.conf. You can safely add your edits there. The location of user.conf is in /opt/easyengine/sites/example.com/config/nginx/custom/
You can see the file structure here https://easyengine.io/handbook/global-filesystem-structure/site-filesystem-structure


#7

@Gabor_Torda @Endda HSTS was kept off by default in the start as it would create issues like not letting the site load if the ssl certs have expired.

As this is something that is needed and necessary in cases, it will be a part of ee site update. Have updated the comment in issue for ee site update to have option for HSTS toggling. This will be worked on soon.


#8

@mrrobot47 When can we use this new HSTS update feature?

One more thing. One of the requirements of HSTS is that the site should not redirect from http://domain.com to https://www.domain.hu, rather it should only redirect to https://domain.com

The default setting with easyengine is the redirect to the www verson. How can we set this redirect, manully in .htaccess or the HSTS update solves this redirect problem as well?