Support » Plugin: Security Headers » Problem with Strict-Transport-Security

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author SimonRWaters

    (@simonrwaters)

    I see orange (not red) for STS and max-age=300.

    So I think it worked.

    I see a proxy header, so do you have a reverse proxy, maybe you were analysing a request from cache, rather that the current settings.

    Thread Starter MaryI

    (@maryi)

    Can this plugin help me turn the orange to green? Do I have to change the max-age to do that?

    I don’t know what a reverse proxy is. Is that necessary?

    Thanks!

    Plugin Author SimonRWaters

    (@simonrwaters)

    Yes, security headers wants a bigger max-age. Since the browser remembering to use HTTPS for 5 minutes is not terribly useful. STS is all about the browser remembering to use HTTPS when the user returns days or weeks later.

    The advice to use 300 secomds is just because it is long enough for testing, and short enough to disable without too much waiting, if something does break.

    Remember to test other services in the same domain name, especially if using the (recommended) includeSubdomains option. And anything that fetches content automatically (feed aggregators for example).

    If you are confident the site is working with https correctly, you can (and should) bump to a much bigger number of seconds. There is no right max-age, I guess if you were a tax return site you might set 367 days since users might turn up just once a year.

    Max-age is in seconds. 86400 seconds in a day. Or a million seconds is about 11 days. Most people advise 30 to 90 days, but if your users have a clear pattern of returning you can base it on that.

    Thread Starter MaryI

    (@maryi)

    Changing the max-age to 11 million seconds changed STS to green. Thanks!

    Plugin Author SimonRWaters

    (@simonrwaters)

    Reverse proxy is a device a web hosting company places in front of web servers to speed things up. Typically it caches a copy of web pages and images in memory for a short period, if there is a rush of people to visit a site it can answer those requests without WordPress having to do lots of database lookups and the like. WordPress is quite slow by web hosting standards.

    Content Distribution networks (CDNs) are just companies that deploy a bunch of reverse proxies around the world. So the slow changing elements of websites like images, and style sheets can be served from a computer nearer the user.

    The header “X-Proxy-Cache: Miss” in the securityheaders.io report tells me a CDN or Reverse proxy is in use. If you are managing the site yourself it may be worth understanding what’s between your browser and WordPress. As whilst caching is essential for performance, it can be confusing if you make a change and the website stays the same for 10 minutes.

    CDNs and reverse proxies are a much better way of speeding up a WordPress site than some of these dreadful plugins to speed it up by caching inside WordPress. I found a security hole in One of them, and I’m not alone.

    Thread Starter MaryI

    (@maryi)

    Wow, thanks for that feedback. I’ll have to work through this.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Problem with Strict-Transport-Security’ is closed to new replies.