Shared Hosting for Everyone, imagined by developers, for developers.
Discovering the Public CloudThe HTTP Strict Transport Security policy allows to protect users by declaring to their web browser that they must interact with the webserver using a secure connection.
It is implemented by adding headers.
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
.htaccess created at the root of the websites:<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
</IfModule>
Add in uWSGI additional settings (menu Web > Site > Modify the [site] - ⚙️ > Advanced Settings):
plugins = router_redirect
route-if-not = equal:${HTTPS};on redirect-permanent:https://${HTTP_HOST}${REQUEST_URI}
route-if = equal:${HTTPS};on addheader:Strict-Transport-Security: max-age=31536000
To put before any other controller:
app.use(function(req, res, next) {
if (req.secure) {
res.setHeader('Strict-Transport-Security', 'max-age=63072000; includeSubDomains') // 2 years
}
next()
})
Other method using the helmet NPM package:
var helmet = require('helmet')
...
app.use(helmet.hsts({
maxAge: 31536000000,
includeSubdomains: true,
force: true
}));
max-age defines the period of application of a given HSTS policy by browsers (31536000 = for one year),includeSubDomains allows to apply HSTS to both domain and subdomains,preload allows to add the site in the preloaded HSTS lists.max-age is required unlike the other ones.