I'm using basic auth where the user sends their username an password in the header. These requests will be done over HTTPS for security (since the password would be in plain text otherwise). If the user accidentally makes a request via HTTP, is there a way in nginx that I can close the connection before they send their authorization header? I'm concerned if I simply redirect them to HTTPS, their password will have still be sent in plain text for the first request.
Asked
Active
Viewed 216 times
1 Answers
2
This is what Strict Transport Security is for.
Add this in the appropriate server blocks:
add_header Strict-Transport-Security max-age=315360000;
This will instruct web browsers, once they have visited your site at least once, to never attempt to visit it again (within the number of seconds specified by max-age) without using HTTPS.
The time you specify in max-age should be at least as long as the duration of any cookies you provide the user.
Note that you must only serve this header on HTTPS responses, and that to complete the loop you should redirect any HTTP requests to the equivalent HTTPS URL.
Michael Hampton
- 237,123
- 42
- 477
- 940
-
Thanks, I didn't know about this. After looking into it a bit further I noticed that it can still possibly send the first request unencrypted, but there doesn't seem to be a workaround for this at the moment. There is talk of [preloading HSTS](https://blog.mozilla.org/security/2012/11/01/preloading-hsts/) which would solve that problem, but I don't think anyone has implemented it. – greatwitenorth Jul 31 '13 at 21:47
-
Since the first request may be unencrypted, this is why you need to 301-redirect every HTTP request to HTTPS. – Michael Hampton Aug 01 '13 at 10:55