Configure HSTS (HTTP Strict Transport Security) in BPS Pro

Home Forums BulletProof Security Pro Configure HSTS (HTTP Strict Transport Security) in BPS Pro

This topic contains 11 replies, has 2 voices, and was last updated by  AITpro Admin 2 weeks, 2 days ago.

Viewing 12 posts - 1 through 12 (of 12 total)
  • Author
    Posts
  • #35838

    Mats
    Participant

    Hi,

    could you please help me to configure HTTP Strict Transport Security (HSTS) in BPS Pro. Tried to achieve that by using “Custom Code” Section 9 (CUSTOM CODE REQUEST METHODS FILTERED). Copied & pasted the original code in .htaccess and then modified it, deleted all the code and pasted instead …

    Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

    But it doesn’t work that way. Thanks.

    #35840

    AITpro Admin
    Keymaster

    The 9. CUSTOM CODE REQUEST METHODS FILTERED Custom Code text box is only for BPS Request Methods Filtered htaccess code so that you can modify just that code.  No other code should go in that Custom Code text box.  You would either use the 1. CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE text box or the 14. CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE text box.  Personally I recommend using the 1. CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE text box.

    Reference Link:  OWASP Secure Headers Project
    https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#hsts

    #35841

    Mats
    Participant

    Thanks, I tried both possibilities … but failed (box 1 and 14).

    Strict-Transport-Security: max-age=31536000; includeSubDomains

    Always a “500 Internal Server Error” after activating under tab “Security Modes” and I had to reconfigure. Is there something else possible to implement HSTS (or maybe you could please implement it as an additional feature in one of the next updates (fields: max-length, subdomains, preload)?

    #35842

    AITpro Admin
    Keymaster

    It looks like your code is missing a blank space after the max-age parameter.

    Strict-Transport-Security: max-age=31536000[1 blank space here]; includeSubDomains
    #35843

    Mats
    Participant

    Thanks, but that doesn’t seem to be the point. I tried in several modes of spelling. The BPS “crashes” (Box 1 & 14) and I had to completely reconfigure it. Today I had to do a new install … . Seems there is no possibility?

    #35844

    Mats
    Participant

    Additional hint: I use a multisite installation of WP 4.9.6 and want to implement HSTS for each domain (main site + subdomains).

    #35845

    AITpro Admin
    Keymaster

    Testing has been scheduled for 9am tomorrow morning to see if the HSTS htaccess code works on our Local Development servers and also our Live hosted host servers.  If the HSTS htaccess code works on our servers that does not necessarily mean your host server allows the HSTS htaccess code.  Network/Multisite sites are virtual and not physical.  So I am not sure if that factor is causing the problem.  We will test on both a single standard WordPress installation and a Network/Multisite installation of WordPress.  What type of Network/Multisite site do you have?  Subdirectory or Subdomain?  Is this a WordPress Network/Multisite installation or a WPMU installation?

    #35846

    Mats
    Participant

    Thank you very much. It is a WP Network/Multisite installation with subdirectories.

    #35847

    AITpro Admin
    Keymaster

    Oops forgot to ask for the exact HSTS htaccess code that you are using.  Please post the exact HSTS htaccess code if it is different than what you have already posted above.

    #35848

    AITpro Admin
    Keymaster

    The solution is very simple.  The OWASP and other help info pages regarding HSTS are assuming that you are adding the htaccess code to your server’s httpd.conf or vhost conf files or they just left out the very important htaccess directive:  “Header set”.  To add the HSTS code to an htaccess file you need to use this format/code below.  Note:  A space is not required after the max-age parameter and you need to use the double quotes in your htaccess code as shown below.

    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    #35849

    Mats
    Participant

    Thank you, I will try another time tomorrow … . In my first post (on top above) I tried an almost similar expression

    Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

    … but in box 8 . So let’s hope it will work in box 1 or 14. I’ll give feedback then.

    #35850

    AITpro Admin
    Keymaster

    Ok do not forget to include the most important part of the htaccess directive code:  Header always set

Viewing 12 posts - 1 through 12 (of 12 total)

You must be logged in to reply to this topic.