Skip to content
  • Antoine Beaupré's avatar
    enable HSTS headers when using TLS · 07d443ee
    Antoine Beaupré authored
    HSTS is HTTP Strict Transport Security, it protects websites against
    downgrade attacks. Therefore if we redirect HTTP to HTTPS, we should
    also use HSTS. To quote the Mozilla security guidelines:
    
    > HTTP Strict Transport Security (HSTS) is an HTTP header that
    > notifies user agents to only connect to a given site over HTTPS,
    > even if the scheme chosen was HTTP. Browsers that have had HSTS set
    > for a given site will transparently upgrade all requests to
    > HTTPS. HSTS also tells the browser to treat TLS and
    > certificate-related errors more strictly by disabling the ability
    > for users to bypass the error page.
    07d443ee