No-Encryption-Found/EN

Aus Siwecos
Version vom 4. Juli 2018, 09:10 Uhr von Siwebot (Diskussion | Beiträge) (Die Seite wurde neu angelegt: „=== <span style="color:#c31622">{{:{{PAGENAME}}/Headline}}<span>=== {| class="wikitable" |'''Check'''|| {{:{{PAGENAME}}/Negative}} |- |'''Beschreibung'''…“)
(Unterschied) ← Nächstältere Version | Aktuelle Version (Unterschied) | Nächstjüngere Version → (Unterschied)
Wechseln zu: Navigation, Suche

Check of HSTS protection

Check HSTS protection error
Beschreibung HTTP Strict Transport Security (HSTS) ensures that the website can only be accessed via a secure HTTPS connection for a specified time period. The website operator can define the length of the time period, and whether this rule should also apply to subdomains.
Hintergrund HTTP Strict Transport Security (HSTS) protection is inactive, the communication between your website and its visitors can be intercepted and manipulated.
Auswirkung Currently, your website is not protected against using an outdated SSL/TLS standard (protocol downgrade attacks) and against cookie hijacking. This allows an attacker to intercept and manipulate your user's communication. Using this information, an attacker could launch further attacks or spam your users with unwanted advertisements and malicious code. HTTP Strict Transport Security (HSTS) is an excellent feature to strengthen your site and its implementation of TLS by forcing the user agent to use HTTPS.
Lösung / Tipps If the connection to your page is not encrypted, all communication between your site and its users can be intercepted and manipulated.

max-age=63072000; includeSubdomains; HTTP Strict Transport Security (HSTS) is a web security policy mechanism that is easy to integrate.

# Activate HTTP Strict Transport Security (HSTS)
# Required: "max-age"
# Optional: "includeSubDomains"
Header set Strict-Transport-Security "max-age=31556926; includeSubDomains"

Here is an example of an .htaccess file which will set the Header Scanner to green. (.htaccess example)

[[Category: ]]