Support

Admin Tools

#22859 HSTS Header (for HTTP-only sites)

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Saturday, 27 June 2015 07:37 CDT

Thursday, 25 June 2015 07:00 CDT

goslingcools
 Hi,

I have set both: Joomla general settings force SSL AND your HSTS Header (for HTTP-only sites) options but this site, https://www.ssllabs.com/ssltest/index.html still says:

Strict Transport Security (HSTS) No

It's about this Joomla website https://www.thehaguesecuritydelta.com

What am I doing wrong?

Regards,

Gosling Cools

Thursday, 25 June 2015 07:55 CDT

nicholas
Your server does not have the Apache mod_headers module installed or activated. Please ask your host to activate it. HSTS and other features (like forbid displaying in IFrames, CORS etc) require this module to work for the simple reason that they're implemented by sending an HTTP header, something only possible when mod_headers is installed and activated in Apache.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 25 June 2015 09:50 CDT

goslingcools
Thanks for your quick and clear answer!

Thursday, 25 June 2015 10:01 CDT

nicholas
You're welcome!

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Saturday, 27 June 2015 05:25 CDT

goslingcools
My host was not able to set headers via htaccess/mod_headers because they use php in cgi mode (for extra security they say...)
But I could make use of auto_prepend_file in their management console. So I added this file:

<?php
header("X-Frame-Options: DENY");
header("strict-transport-security: max-age=31536000");
header('X-Content-Type-Options: nosniff');
?>


Regards,

Gosling Cools

Saturday, 27 June 2015 07:37 CDT

nicholas
Please change hosts. Your host doesn't know what they are talking about.

Even if PHP is running in CGI mode it can of course set headers. However this is irrelevant because we're talking about the .htaccess file which is parsed by Apache itself, NOT PHP. The .htaccess file is parsed VERY LONG before Apache routes the URL, let alone decide whether to route it through the configure PHP SAPI. As I wrote in my original reply:
Your server does not have the Apache mod_headers module installed or activated.

Your Apache server does not have the mod_headers.c module installed or activated. It has nothing to do with PHP. You could have a static HTML site with the same .htaccess line and the result would be exactly the same.

Do yourself a favor. Move to a host where the people running the servers actually understand how the servers work. Even though it's not my job –I am a developer, not a systems administrator– I already know more about how Apache works than them. That's scary if you come to think about it...

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!