Web Analytics Made Easy -
StatCounter Strict Transport Security - CodingForum

Announcement

Collapse
No announcement yet.

Strict Transport Security

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Strict Transport Security

    You know whats so funny, is that i found tons of articles that talked about code syntax for this and different options. But i did not find one single site that told me which file to put this code into LMAO I tried htaccess and that was a bad idea lol

    So what file does this go in? Or head section maybe?

    i think i am missing someting that goes with it.

    HTML Code:
    Strict-Transport-Security: "max-age=63072000; includeSubDomains; preload"
    If a php file only has php code within it you do not need to use the closing php tag
    A good way to remember objects from arrays is you shoot objects with arrows Example: $name->id; then Arrays are $name['id'];
    durangod is short for durango dave

  • #2
    I had to look up htaccess header to find an example it goes like this and yes i had the syntax wrong.. It goes in the htacces folder

    Code:
    Header set Strict-Transport-Security: "max-age=63072000; env=HTTPS; includeSubDomains; preload;"
    I belleve you can also use

    Code:
     Header always set
    as well
    If a php file only has php code within it you do not need to use the closing php tag
    A good way to remember objects from arrays is you shoot objects with arrows Example: $name->id; then Arrays are $name['id'];
    durangod is short for durango dave

    Comment


    • #3
      You have it right, it goes in your http headers, which you can set in httpd.conf/.htaccess or your server equivalent, or you can also set it in languages like PHP with the header() function just like you would character encoding or redirects.

      header('Strict-Transport-Security: max-age=63072000; includeSubDomains; preload');

      Would/should do the job. Note, for .htaccess you should NOT have the : in there, that's for the raw header. "Header set" you just say it.

      I would HIGHLY suggest making sure if you put it in .htaccess you make sure mod_header.c is loaded, and you might want to specify what files it should be applied to. For example if you want it defaulted on .php and .js files:

      Code:
      <IfModule mod_headers.c>
        <FilesMatch "\.(php|js)$">
          Header set Strict-Transport-Security "max-age=63072000; env=HTTPS; includeSubDomains; preload;"
        </FilesMatch>
      </IfModule>
      Being the proper syntax. Note, some apache installs don't set headers for CGI/executables. Should not be a problem with node.js or PHP 7/later, but under legacy PHP you may have to set it using header() regardless. :/

      Basically, same as how one would set up cache-control to make Google lighthouse / insights STFU about it.

      Code:
      <IfModule mod_headers.c>
        <FilesMatch "\.(ico|jpg|jpeg|png|gif|webp||mp4|mkv|js|css)$">
          Header set Cache-Control "max-age=2592000, public"
        </FilesMatch>
      </IfModule>
      -- edit -- and yes, it sucks out loud that the syntax in the actual header does not match the syntax used by httpd.conf and/or .htaccess. The config files use no colon and double quotes, the actual http/https header (and how PHP states it) uses a colon and no quotes.

      Nothing like a little consistency...
      Last edited by deathshadow; Sep 7, 2020, 11:51 AM.
      Bleed your death upon me, let your bloodline feed my youth.
      https://cutcodedown.com
      https://medium.com/@deathshadow

      Comment


      • #4
        thank you thats great.. yeah would be nice if they were consistant even a tiny bit.
        If a php file only has php code within it you do not need to use the closing php tag
        A good way to remember objects from arrays is you shoot objects with arrows Example: $name->id; then Arrays are $name['id'];
        durangod is short for durango dave

        Comment

        Working...
        X