Hello I know Gzip over https/SSL is unsecured but my server runs just one blog that is a static file website with so there is no security risk.
So what I would like to do is use both https fro http_v2 and Gzip in my Nginx server configuration.
Does anyone know how to enable them both as it seems that Gzip by default only runs with http?
Thanks
The attacks allow attacker to guess the content (like cookies). If you don't store anything confidential in them, you can safely activate Gzip.
Related
I have web server IIS, where I have direct access to page like (page.com), so thats the reason why I have allowed HTTP (port 80) and then I am using HTTPS (port 443).
When user enters the page on port 80 (page.com), he will be redirected to HTTPS (443). So my web server uses HSTS with long max-age parameter (defense against ssl strip).
Is my page secure with HSTS header this way? If not, what should I do?
Thanks a lot!
As always, the question is secure against what? Secure against ssl strip after the first response with HSTS (and before it expires)? Yes. Secure against ssl strip on the very first request (or the first after HSTS expired)? No. Secure against a range of different attacks? Not necessarily (dns hijack on the first request, corporate ssl inspection, rogue root cert in clients, malware... the list is endless).
Could you make it more secure? Yes, by disabling plain http altogether. Would that make sense in your scenario? Only you can tell.
we have activated HTTP Strict Transport Security in production. It works well. But now, when wanting to use a subdomain to develop, the website is automatically redirected to https:
https://dev.tokeeen.com/app_dev.php/my-habits
Event if the host is set to 127.0.0.1
127.0.0.1 dev.tokeeen.com
Is there something to avoid this behavior? Of course I don't want to force the host for the main domain.
You are currently setting this on your main site:
Strict-Transport-Security max-age=63072000; includeSubDomain
If you change this to remove the includeSubDomain bit then it will only apply to your top level domain and not the dev sub domain:
Strict-Transport-Security max-age=63072000;
You then need to visit your production site to load this header and overwrite the existing one in your browser’s cache.
However this is less secure (for example someone could set up www.tokeeen.com and pretend to be your site with a bit of DNS manipulation for example).
But to be honest you should just use https on you’re dev site. The Internet is moving towards HTTPS and many new features do not work under plain HTTP. Additionally what you are developing is not similar to your production site so if you include http:// links instead of https:// for example you’ll suddenly see this failing when you release to production.
You look to use LetsEncrypt on your site so the cert is free. Do yourself a favour and just get another free one for your dev subdomain.
You have to get yourself a wildcard certificate as the ssl certificate is only for that domain. That's the whole point of having a secure site.
I'm not sure what server system you are using but in case you don't want to use wildcards and are ok with less secure, you can bind the other domains to
port 80 with the binding type http`
I want to disable https and want to access a site by http (for experimental purposes).I am using firefox on ubuntu 12.4. I tried by disabling SSL in browser.But then i am not able to access sites with https.
How can i do this?
Some sites, require using https (SSL) for accessing them. The site you try to access would probably redirect you to https (SSL), even if you decide to use http. In that case, you cannot disable the SSL use from your browser, because it is a demand from your target site.
Hope I helped...
I'm using Symfony2 with nginx as http server (I don't know much about reverse proxies, I just installed it and didn't touch anything), without Apache nor Varnish.
I need to know whether nginx is caching the responses I send with the correct headers, like public, max-age, and s-max-age, or I have to add something else to the stack, like Varnish.
I have read somewhere that if you add Varnish, you will have to add yet something else, for gzip compression. So it would be nginx -> Varnish -> ???
So is nginx caching? How can I check that? I did grep cache on the nginx logs and found nothing.
To use nginx caching you should configure it.
http://nginx.org/r/fastcgi_cache_path
http://nginx.org/r/proxy_cache_path
You do not need Varnish unless ESI is required.
I'm using the IIS 7 rewrite module to redirect a page to use https if http is detected.
Is it possible that the rewrite module can be bypassed? Would be overkill to also put in an https check in the page_load code as well?
If you want to force SSL the best way to do it is using only the port 443. If you only need SSL in some pages of your website my recommendation is to move these files into a special web application or virtual directory. Doing this you can force the SSL connection for these files without worrying about rewrite rules. You can check how to do it here: http://learn.iis.net/page.aspx/144/how-to-set-up-ssl-on-iis-7/
Allowing HTTP and HTTPS connections to the same resource can be used to perform a cookie stealing attack if the application cookies are not using the "Secure" attribute.