Apache .htaccess enforce HTTPS

Because I have to look this up from time to time, a note to myself: Add the contents below to your .htaccess to have Apache enforce HTTPS while preserving the rest of the URL (domain name, querystring, etc). RewriteEngine On # Enforce HTTPS (everywhere) RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] ~

Fixing the valet share 301 Redirect Loop

One of the nice things of Laravel Valet is that it includes an easy way to make your local site available publicly. For this it has the aforementioned Ngrok built-in. To use it, just run the valet share command, and your local site will be shared through a *.ngrok.io subdomain. However, when combining valet share …

Chrome 66 to Untrust Symantec-issued Certificates

Chrome is really tightening up the security game here. In Chrome 66 it will untrust Symantec-issued SSL/TLS certificates, after Symantec has repeatedly screwed up by wrongly issuing certificates for domains, including google.com itself. Thanks to a decision in September by Google to stop trusting Symantec-issued SSL/TLS certs, from mid-April Chrome browser users visiting websites using …

Extended Validation Is Broken

https://stripe.ian.sh/ is an interesting site by Ian Carroll. See it? Take a closer look at the certificate. Yes, that’s one for “Stripe, Inc” … but, that’s not “Stripe, Inc” is it? This site uses an EV certificate for “Stripe, Inc”, that was legitimately issued by Comodo. However, when you hear “Stripe, Inc”, you are probably …

Get HTTPS working on localhost, with green padlock

In On “Secure Contexts” in Firefox, HTTPS for local development, and a potential nice gesture by Chrome I said: One of the things that’s still not really frictionless for your local development domains is the use of certificates. To circumvent the use of self-signed certificates I explained in said article how I have a dedicated …

On “Secure Contexts” in Firefox, HTTPS for local development, and a potential nice gesture by Chrome

👋 This post also got published on Medium. If you like it, please give it some love a clap over there. Earlier today, in a post entitled Secure Contexts Everywhere, it was announced on the Mozilla Security Blog that Firefox from now on will only expose new features such as new CSS properties to secure …

Monitoring for the encrypted web with “Oh Dear!”

Because there’s more to HTTPs than just monitoring for certificate expiration dates. Next to SSL Certificate Expirations, Oh Dear! also scans for Mixed Content, Revoked (Intermediate) Certificates, the use of bad or insecure ciphers, etc. Knowing that this service is built by Dries Vints, Freek Van der Herten, and Mattias Geniar tells me that this …

Mixed Content and Responsive Images

Interesting issue Jonathan Snook ran into when switching a site over to HTTPS. Even though images from HTTP resources should still get loaded by the browser (as they are Passive Mixed Content, and thus tolerated), they weren’t: After some digging, I noticed that the images that weren’t loading were those defined using the <picture> element. …

Marking HTTP As Non-Secure

My name is Bramus and I approve this message: We, the Chrome Security Team, propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure. We intend to devise and begin deploying a transition plan for Chrome in 2015. The goal of this proposal is to more clearly display to …