Because I have to look this up from time to time, a note to myself: Add the contents below to your .htaccess to have Apache enforce HTTPS while preserving the rest of the URL (domain name, querystring, etc). RewriteEngine On # Enforce HTTPS (everywhere) RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] ~
Tag Archives: https
Apache
Fixing the valet share
301 Redirect Loop
One of the nice things of Laravel Valet is that it includes an easy way to make your local site available publicly. For this it has the aforementioned Ngrok built-in. To use it, just run the valet share command, and your local site will be shared through a *.ngrok.io subdomain. However, when combining valet share …
Chrome 66 to Untrust Symantec-issued Certificates
Chrome is really tightening up the security game here. In Chrome 66 it will untrust Symantec-issued SSL/TLS certificates, after Symantec has repeatedly screwed up by wrongly issuing certificates for domains, including google.com itself. Thanks to a decision in September by Google to stop trusting Symantec-issued SSL/TLS certs, from mid-April Chrome browser users visiting websites using …
Continue reading “Chrome 66 to Untrust Symantec-issued Certificates”
Extended Validation Is Broken
https://stripe.ian.sh/ is an interesting site by Ian Carroll. See it? Take a closer look at the certificate. Yes, that’s one for “Stripe, Inc” … but, that’s not “Stripe, Inc” is it? This site uses an EV certificate for “Stripe, Inc”, that was legitimately issued by Comodo. However, when you hear “Stripe, Inc”, you are probably …
Get HTTPS working on localhost, with green padlock
In On “Secure Contexts” in Firefox, HTTPS for local development, and a potential nice gesture by Chrome I said: One of the things that’s still not really frictionless for your local development domains is the use of certificates. To circumvent the use of self-signed certificates I explained in said article how I have a dedicated …
Continue reading “Get HTTPS working on localhost, with green padlock”
On “Secure Contexts” in Firefox, HTTPS for local development, and a potential nice gesture by Chrome
👋 This post also got published on Medium. If you like it, please give it some love a clap over there. Earlier today, in a post entitled Secure Contexts Everywhere, it was announced on the Mozilla Security Blog that Firefox from now on will only expose new features such as new CSS properties to secure …
Monitoring for the encrypted web with “Oh Dear!”
Because there’s more to HTTPs than just monitoring for certificate expiration dates. Next to SSL Certificate Expirations, Oh Dear! also scans for Mixed Content, Revoked (Intermediate) Certificates, the use of bad or insecure ciphers, etc. Knowing that this service is built by Dries Vints, Freek Van der Herten, and Mattias Geniar tells me that this …
Continue reading “Monitoring for the encrypted web with “Oh Dear!””
Mixed Content and Responsive Images
Interesting issue Jonathan Snook ran into when switching a site over to HTTPS. Even though images from HTTP resources should still get loaded by the browser (as they are Passive Mixed Content, and thus tolerated), they weren’t: After some digging, I noticed that the images that weren’t loading were those defined using the <picture> element. …
API
Marking HTTP As Non-Secure
My name is Bramus and I approve this message: We, the Chrome Security Team, propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure. We intend to devise and begin deploying a transition plan for Chrome in 2015. The goal of this proposal is to more clearly display to …