QambarRaza.com is now secure

I went on a course of The Best TLS Training and thought i should implement what i learn on my domain. Previously, QambarRaza.com was Grade A on https://www.ssllabs.com/ and Grade ‘F’ on https://securityheaders.com/.

But special thanks to https://scotthelme.co.uk/, i was able to make it Grade ‘A+’ on both security analyser websites.

Its very easy to do, i only spent 5 minutes to achieve this. You can do it to even if you don’t have access to nginx server you can do it via passing headers in PHP like i did:


//If the HTTPS is not found to be "on"
if(!isset($_SERVER["HTTPS"]) || $_SERVER["HTTPS"] != "on")
{
    //Tell the browser to redirect to the HTTPS URL.
    header("Location: https://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]);
    //Prevent the rest of the script from executing.
    exit;
}

header("strict-transport-security: max-age=31536000; includeSubDomains; preload");
header("X-Frame-Options: SAMEORIGIN");
header("X-Content-Type-Options: nosniff");
header("X-XSS-Protection: 1; mode=block");
header("Referrer-Policy: no-referrer");
header("Content-Security-Policy: upgrade-insecure-requests");

And if you want to go one step further you can also submit your website to https://hstspreload.org/ which will make all browsers always open your website in HTTPS but becareful about it as you can break things as your http endpoints will stop working.

Enjoy!

Qambar Raza

An ethical hacker interested in hardware.

QambarRaza.com is now secure

Leave a Reply Cancel reply