Google increase security by using only HSTS and it is a good idea to do the same for your server. HTTP Strict Transport Security (HSTS) instructs browsers to communicate with your site only over HTTPS.

For many years, we’ve worked to increase the use of encryption between our users and Google. Today, the vast majority of these connections are encrypted, and our work continues on this effort.

To further protect users, we've taken another step to strengthen how we use encryption for data in transit by implementing HTTP Strict Transport Security—HSTS for short—on the www.google.com domain. HSTS prevents people from accidentally navigating to HTTP URLs by automatically converting insecure HTTP URLs into secure HTTPS URLs. Users might navigate to these HTTP URLs by manually typing a protocol-less or HTTP URL in the address bar, or by following HTTP links from other websites.

see Bringing HSTS to www.google.com

Quoting the Mozilla Developer Network:

If a web site accepts a connection through HTTP and redirects to HTTPS, the user in this case may initially talk to the non-encrypted version of the site before being redirected, if, for example, the user types http://www.foo.com/ or even just foo.com. This opens up the potential for a man-in-the-middle attack, where the redirect could be exploited to direct a user to a malicious site instead of the secure version of the original page. The HTTP Strict Transport Security feature lets a web site inform the browser that it should never load the site using HTTP, and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead. see https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security

An example scenario:

You log into a free WiFi access point at an airport and start surfing the web, visiting your online banking service to check your balance and pay a couple of bills. Unfortunately, the access point you're using is actually a hacker's laptop, and they're intercepting your original HTTP request and redirecting you to a clone of your bank's site instead of the real thing. Now your private data is exposed to the hacker. Strict Transport Security resolves this problem; as long as you've accessed your bank's web site once using HTTPS, and the bank's web site uses Strict Transport Security, your browser will know to automatically use only HTTPS, which prevents hackers from performing this sort of man-in-the-middle attack.

For NGINX add this in the server block for your HTTPS configuration:

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; ";

I would also add the X-Frame-Options header to your HTTPS website to make sure it is not embedded in a frame or iframe. This avoids clickjacking, and might be helpfull for HTTPS websites.

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a `<frame>` or `<iframe>`. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites. see https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options

For NGINX add this in the server block for your HTTPS configuration:

add_header X-Frame-Options "DENY";

Don't forget to restart NGINX.

comments powered by Disqus

You might like also

No Thumbnail was found
Usually, a percentage of the tokens is sold to ICO participants and a percentage kept for the company’s needs. The token distribution and allocation of the token is usually a chapter in the future company whitepaper. A pie chart displays how and to whom tokens will be allocated. But how much tokens are allocated (amount) and what are they used for? how much token should I spend for advisor? is 15% of all tokens too much for founder? How many …
173 Days ago
No Thumbnail was found
introduction This is my attempt to list all possible blockchain consensus out there, I welcome pull request of the blockchain community! let's make it the main reference for blockchain consensus. Visit also Tokens-Economy.com to keep track of new developments in the distributed ledger technology space. Blockchain Consensus? At the core of the Blockchain disruption is a consensus algorithm: Consensus algorithms enable network participants to agree on the contents of a blockchain in a distributed and trust-less manner. “Consensus decision-making is a group …
184 Days ago
Initial Coin Offering security checklist
Blockchain technology and cryptocurrencies have revolutionized the way companies raise capital but at the same time are bringing their own sets of challenges. To ensure that your startup will go through that (ad)venture in a safe manner, you should always adhere to best security practices, for your company AND your investors.  This mind map will present you in a visual way lots of valuable information like: A compilation of the most dangerous threats to the ICO industry and how to mitigate, …
205 Days ago
Initial Coin Offering in most relevant countries
 This new rendering will allow you to better compare countries The rendering being dynamic you can also pass some parameters like https://ico.tokens-economy.com/statistics/collage.html?width=800&height=800 The default size is width=450&height=450 Filter by year ico end. e.g all ico ended in 2017 https://ico.tokens-economy.com/statistics/collage.html?year=2017  Filter by category and year https://ico.tokens-economy.com/statistics/collage.html?category=Cryptocurrency  And more ICO with no raised amount is also displayed now. ICO webpage has been added Text in bubble scale now properly and are always centered     …
219 Days ago
2751 coins, 47 Consensus and 82 cryptographic algorithms
The innovation speed in Blockchain landscape is just breathtaking and being able to (or to be honest trying to...) follow all these rapid changes is a chance for all software engineers. At the core of the Blockchain disruption are consensus algorithm: Consensus algorithms enable network participants to agree on the contents of a blockchain in a distributed and trust-less manner. And the consensus algorithm plays a crucial role in maintaining the safety and efficiency of blockchain. Using the right algorithm may bring a significant increase to the …
227 Days ago
Initial Coin Offering in Blockchain-Friendly countries
Ever since Vitalik Buterin and Ethereum settled on Switzerland for its Foundation and Initial Coin Offering (ICO), Switzerland has been popular among blockchain-based businesses and is considered the number one in a list of the top 10 European countries for starting a blockchain company (source cointelegraph.com). PwC also found that ICO volume reached new record highs in the first half of 2018 ($13.7 Billion so far), already doubling the volume of the previous year! That inspired me a way to compare at the same time …
235 Days ago
Evaluating Blockchain Projects With Token Economy Canvas
Business Model Canvas is a strategic management and lean startup template for developing new or documenting existing business models. It is a visual chart with elements describing a firm's or product's value proposition, infrastructure, customers, and finances. It assists firms in aligning their activities by illustrating potential trade-offs. Business Model Canvas: nine business model building blocks, Osterwalder, Pigneur & al. 2010 After reading this great article https://medium.com/@pstehlik/evaluating-blockchain-projects-with-token-economy-canvas-908bc1bab6 I felt the need to create an online editor. "Token Economy Canvas consists of …
271 Days ago
ICO friendliness rating index
Do you want to relocate your Blockchain company to an ICO friendly country? the ICO friendliness rating index is a interactive way to go through the list of countries that are hostile or favorable to ICO and Cryptocurrencies. Attention! a disclaimer is required: No Legal Advice or Attorney-Client Relationship: This chart is provided for informational purposes only and is not legal advice. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Recipient should …
271 Days ago
Joomla 3.8.7 and WTLib WinNMP 18.03
As always updating to the latest version of all your developement components is never without any issues, here is what  you need to take into consideration when upgrading Joomla 3.8.7 and WinNMP 18.03 Install WinNMp 18.03 from https://winnmp.wtriple.com/ in any directory, default is C:\WinNMP\ Unpack Joomla 3.8.7 to C:\WinNMP\WWW\dev for example When starting WinNMP, you can click reload, to see the site appearing    Now edit Nginx virtual server    And cut and paste the following config (you can get it from http://winnmp.wtriple.com/nginx.phpJoomla-Nginx-configuration)   …
298 Days ago
The cryptocurrency hack of Bob
Bob did a lot of (obvious) mistakes, but you will still be able to learn a lot by going through this mindmap. The names have been changed to protect the innocent. Hack of Bob   …
327 Days ago