I went on a course of The Best TLS Training and thought i should implement what i learn on my domain. Previously, QambarRaza.com was Grade A on https://www.ssllabs.com/ and Grade ‘F’ on https://securityheaders.com/.
But special thanks to https://scotthelme.co.uk/, i was able to make it Grade ‘A+’ on both security analyser websites.
Its very easy to do, i only spent 5 minutes to achieve this. You can do it to even if you don’t have access to nginx server you can do it via passing headers in PHP like i did:
//If the HTTPS is not found to be "on"
if(!isset($_SERVER["HTTPS"]) || $_SERVER["HTTPS"] != "on")
{
//Tell the browser to redirect to the HTTPS URL.
header("Location: https://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]);
//Prevent the rest of the script from executing.
exit;
}
header("strict-transport-security: max-age=31536000; includeSubDomains; preload");
header("X-Frame-Options: SAMEORIGIN");
header("X-Content-Type-Options: nosniff");
header("X-XSS-Protection: 1; mode=block");
header("Referrer-Policy: no-referrer");
header("Content-Security-Policy: upgrade-insecure-requests");
And if you want to go one step further you can also submit your website to https://hstspreload.org/ which will make all browsers always open your website in HTTPS but becareful about it as you can break things as your http endpoints will stop working.
Enjoy!
Leave a Reply