Support

Admin Tools

#22559 HSTS Header

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by Lumiga on Thursday, 30 April 2015 05:49 CDT

Thursday, 30 April 2015 04:41 CDT

Lumiga
Hi,

I your documentation about the HSTS Header, you write that Joomla! offers a Global Configuration setting to force SSL throughout the entire site, but this is merely a workaround.

So my question is, when I want to use my website only on HTTPS. Do I have to use the Joomla setting in combination with HSTS Header on YES or should I only use HSTS Header on YES?

Hope to hear from you.

With kind regards,
Lumiga

Thursday, 30 April 2015 05:40 CDT

nicholas
You need to turn both settings on. The two settings are complementary.

You may wonder why you need the HSTS header. It's a more secure setup. Without it, trying to access http://www.example.com means that the browser contacts the site over the unencrypted, plain old HTTP channel and Joomla! sends it a redirect to https://www.example.com. This means that any information to the site, including the login cookie, will be transferred over unencrypted HTTP and there's a security and privacy risk there. With the HSTS header the browser will NOT attempt to use the HTTP channel at all. It will convert http://www.example.com to https://www.example.com BEFORE making the network connection. Thus no information is exchanged over insecure, plain only HTTP. The thing is that the very first time you access the site someone needs to tell the browser to use the HTTPS version. That's what the Joomla! setting does.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 30 April 2015 05:49 CDT

Lumiga
Thanks Nicholas that's what I wanted to know.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!