The recent events of security problems with WordPress motivated us to speed up the effort to move our blog into the HTTPS only mode. This does not fix WordPress security problems, but makes it easier to spot possible problems later and might protect us against the negative outcome from time to time.
So we set the Strict-Transport-Security header to tell the browser that HTTP is off-limits for this site once and for all. We also turned all links to our blog from our website and internally in the blog including resources into HTTPS links.
Also we set .htaccess redirect rules to force all users to use HTTPS and only hit the domain that has the proper certificate.
1 2 3 4 5 6 7 8 9 10 11 |
### # Send .de to .com RewriteCond %{HTTP_HOST} xceptance\.de$ [NC] RewriteRule ^(.*)$ https://blog.xceptance.com/$1 [L,R=301] # Force https RewriteCond %{HTTPS} !=on RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] # Set the correct header to tell the browser secure only Header set Strict-Transport-Security "max-age=31536000" env=HTTPS |
The only thing open is to get our hoster convinced to properly support TLS 1.2.