3

For my website's .htaccess I currently have: 

RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

So that when someone visits the page over http they get a 301 and then connect over SSL/TLS. However, this still opens users up to MITM attacks via sslstrip. I noticed that if I go to http://facebook.com in my network log the request gets changed to https://facebook.com before a response comes back, preventing a MITM attack. I was wondering how this was achieved so I can force SSL/TLS better.

Thanks

winhowes
  • 349
  • 2
  • 13

1 Answers1

3

Facebook achieves this with a HTTP Strict Transport Security (HSTS) policy.

This is delivered over HTTPS and informs the browser to automatically "rewrite" HTTP requests to HTTPS for that domain. The max-age parameter specifies how long the browser will honour the policy for.

It is also possible to list your site in the HSTS preload list. This list is shipped with browsers. The advantage of the list is that the site does not require the first (insecure) visit to be made in order for the policy to be set.

SilverlightFox
  • 33,698
  • 6
  • 69
  • 185