HSTS vs RewriteRule

Question

I've recently read that HSTS is designed to avoid some of the vulnerabilities associated with htaccess redirects to force HTTPS, because the browser can be made to ignore them. That said, many of our websites force HTTPS via the following RewriteRule:

RewriteEngine On 
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

My question is: are RewriteRules subject to the same general vulnerability as redirects, or are they a comparably safe alternative to HSTS?

score 7 · Accepted Answer · answered Nov 01 '18 at 21:31

7

No, a rewrite rule is still vulnerable to attacks like sslstrip.

If you look at the documentation or try it out, you'll see that your rewrite rule is actually creating a redirect.

answered Nov 01 '18 at 21:31

AndrolGenhald

15,436
5
45
50

HSTS vs RewriteRule

1 Answers1