{"id":931,"date":"2018-12-31T15:32:45","date_gmt":"2018-12-31T23:32:45","guid":{"rendered":"https:\/\/www.goer.org\/?p=931"},"modified":"2018-12-31T15:32:45","modified_gmt":"2018-12-31T23:32:45","slug":"a-simple-htaccess-recipe-for-https-redirect-hsts","status":"publish","type":"post","link":"https:\/\/www.goer.org\/Journal\/2018\/12\/a-simple-htaccess-recipe-for-https-redirect-hsts.html","title":{"rendered":"A Simple .htaccess Recipe for HTTPS Redirect + HSTS"},"content":{"rendered":"

I like to get at least one<\/em> blog post in a year — this one is coming in just under the wire!<\/p>\n

One of the phone screen questions I like to ask junior frontend candidates (and occasionally more experienced frontend candidates) is:<\/p>\n

\n

Imagine you’re creating a website that doesn’t have any login capabilities, shopping carts, or anything other than static articles. Would you go to the effort of setting up HTTPS? Why or why not?”<\/em><\/p>\n<\/blockquote>\n

The answers I’m hoping to hear are along the lines of, “to make sure that people are actually connecting to your site,” or “to prevent a man-in-the-middle from tampering with your site.” Which then sometimes leads into an interesting discussion about TLS and what the candidate understands about networking.<\/p>\n

Important stuff! Which makes it at least a little bit embarrassing to admit that it was only this year that I got around to adding proper HTTPS with redirects to my own website. Now, at least, I can ask my interview question without feeling like a giant hypocrite.<\/p>\n

To make this post more about utility and less about self-flagellation, here’s the configuration I used. I’m on an old shared host, so this configuration is oriented towards people like myself, who are stuck hand-editing .htaccess<\/code> files like a peasant. Interestingly, when you search for “redirect HTTP to HTTPS”, there aren’t actually that many pages that cover HTTPS redirects and<\/em> HSTS in the same place, so perhaps this will be useful to somebody:<\/p>\n

<IfModule mod_rewrite.c>\nRewriteEngine On\nRewriteCond %{SERVER_PORT} 80 \nRewriteRule ^(.*)$ https:\/\/%{HTTP_HOST}%{REQUEST_URI} [R=301,L]\n<\/IfModule>\n\n<IfModule mod_headers.c>\nHeader set Strict-Transport-Security \"max-age=31536000; includeSubdomains;\"\n<\/IfModule>\n<\/code><\/pre>\n
Notes:<\/p>\n