fbpx Apache - Meysmahdavi

Tag Archive :Apache

What is HSTS ?

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should automatically interact with it using only HTTPS connections, which provide Transport Layer Security (TLS/SSL), unlike the insecure HTTP used alone. HSTS is an IETF standards track protocol and is specified in RFC 6797.

The HSTS Policy is communicated by the server to the user agent via an HTTPS response header field named “Strict-Transport-Security“. HSTS Policy specifies a period of time during which the user agent should only access the server in a secure fashion. Websites using HSTS often do not accept clear text HTTP, either by rejecting connections over HTTP or systematically redirecting users to HTTPS (though this is not required by the specification). The consequence of this is that a user-agent not capable of doing TLS will not be able to connect to the site.

The protection only applies after a user has visited the site at least once, and the way this protection works is that a user entering or selecting a URL to the site that specifies HTTP, will automatically upgrade to HTTPS, without making an HTTP request, which prevents the HTTP man-in-the-middle attack from occurring.

Submission Requirements

If a site sends the preload directive in an HSTS header, it is considered to be requesting inclusion in the preload list and may be submitted via the form on this site.

In order to be accepted to the HSTS preload list through this form, your site must satisfy the following set of requirements:

  1. Serve a valid certificate.
  2. Redirect from HTTP to HTTPS on the same host, if you are listening on port 80.
  3. Serve all subdomains over HTTPS.
    • In particular, you must support HTTPS for the www subdomain if a DNS record for that subdomain exists.
  4. Serve an HSTS header on the base domain for HTTPS requests:
    • The max-age must be at least 31536000 seconds (1 year).
    • The includeSubDomains directive must be specified.
    • The preload directive must be specified.
    • If you are serving an additional redirect from your HTTPS site, that redirect must still have the HSTS header (rather than the page it redirects to).

of a valid HSTS header: (You can add this code is .htaccess)

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

You can check the status of your request by entering the domain name again in the form above, or consult the current Chrome preload list by visiting chrome://net-internals/#hsts in your browser. Note that new entries are hardcoded into the Chrome source code and can take several months before they reach the stable version.

Continued Requirements

You must make sure your site continues to satisfy the submission requirements at all times. Note that removing the preload directive from your header will make your site immediately eligible for the removal form, and that sites may be removed automatically in the future for failing to keep up the requirements.

Deployment Recommendations

If your site is committed to HTTPS and you want to preload HSTS, we suggest the following steps:

  1. Examine all subdomains (and nested subdomains) of your site and make sure that they work properly over HTTPS.
  2. Add the Strict-Transport-Security header to all HTTPS responses and ramp up the max-age in stages, using the following header values:
    • 5 minutes:
      max-age=300; includeSubDomains
    • 1 week:
      max-age=604800; includeSubDomains
    • 1 month:
      max-age=2592000; includeSubDomains

    During each stage, check for broken pages and monitor your site’s metrics (e.g. traffic, revenue). Fix any problems that come up and then wait the full max-age of the stage before you move on. For example, wait a month in the last stage.

  3. Once you’re confident that there will be no more issues, increase the max-age to 2 years and submit your site to the preload list:
    • 2 years, requesting to be preloaded:
      max-age=63072000; includeSubDomains; preload

If you have a group of employees or users who can beta test the deployment, consider trying the first few ramp-up stages on those users. Then make sure to go through all stages for all users, starting over from the beginning.

Consult the Mozilla Web Security guidelines and the Google Web Fundamentals pages on security for more concrete advice about HTTPS deployment.

Preloading Should Be Opt-In

If you maintain a project that provides HTTPS configuration advice or provides an option to enable HSTS, do not include the preload directive by default. We get regular emails from site operators who tried out HSTS this way, only to find themselves on the preload list by the time they find they need to remove HSTS to access certain subdomains. Removal tends to be slow and painful for those sites.

It’s great to support HSTS preloading as a best practice, and for projects to provide a simple option to enable it. However, site operators who enable HSTS should know about the long-term consequences of preloading before they turn it on for a given domain.


Be aware that inclusion in the preload list cannot easily be undone. Domains can be removed, but it takes months for a change to reach users with a Chrome update and we cannot make guarantees about other browsers. Don’t request inclusion unless you’re sure that you can support HTTPS for your entire site and all its subdomains in the long term.

Htaccess چیست ؟

فایل htaccess ، یک فایل پیکربندی وب سرور آپاچی است که میتواند دسترسی به سایت یا نحوه عملکرد آن را کنترل کند. این فایل می تواند تنظیمات پیش فرض سرور آپاچی را تغییر می دهد. یک فایل htaccess به راحتی می تواند با ویرایشگر text / HTML ایجاد شود و سپس از طریق FTP آپلود شود. اطمینان حاصل کنید که این فایل  را در دایرکتوری که میخواهید آن را کنترل کنید ایجاد یا آپلود شده باشد. اگر از یک فایل htaccess برای کنترل کل سایت استفاده می کنید، باید فایل htaccess را در پوشه عمومی خود آپلود کنید.

فایل htaccess یک فایل مخفی است. علامت “.” در ابتدای فایل htaccess آن را به یک فایل مخفی برای اهداف امنیتی تبدیل می کند. بنابراین اگر آن را از طریق FTP آپلود کنید، در لیست فهرست برنامه FTP شما نمایش داده نخواهد شد؛ مگر اینکه FTP شما ویژگی ای داشته باشد که به شما این امکان را می دهد که فایل های پنهان را مشاهده کنید (اکثر برنامه های FTP دارای این گزینه هستند). اگر شما نیاز به ایجاد تغییرات در فایل htaccess دارید، فقط یک نسخه جدید را آپلود کنید و فایل موجود را بازنویسی کنید.

ساخت فایل htaccess

شما می توانید یک فایل htaccess در رایانه یا در سرور ایجاد کنید. این کار بسیار ساده است. برای ایجاد فایل htaccess در ویندوز کافی است با استفاده از Notepad فایل را با نام htaccess ذخیره کنید. دقت کنید بعد از ذخیره فایل، با استفاده از سرویس گیرنده FTP دلخواه می توانید فایل را در هاست یا سرور خود ذخیره کنید. فایل htaccess باید در پوشه ای قرار گیرد که سایت شما در آن قرار دارد، معمولا این پوشه public_html است.

ایجاد فایل htaccess در هاست یا سرور

به اکانت cPanel خود وارد شوید. روی آیکون File Manager که در قسمت Files قرار دارد کلیک کنید.

از پنجره باز شده در فایل منو گزینه “Choose Hidden Files (dotfiles)” را انتخاب کنید. اگر این پنجره را نمی بینید، باید روی لینک “reset all interface settings” در پایین صفحه cPanel کلیک کنید. از پنجره File Manager پوشه ای که می خواهید باز کنید را انتخاب کنید، اغلب این پوشه در مسیر “Web Root (public_html / www)” است. توجه کنید اگر شما در حال مدیریت فایل هستید، می توانید (& showhidden = 1) را در انتهای  URL اضافه کنید. برای ایجاد یک فایل جدید و روی آیکون New File کلیک کنید و نام آن را .htaccess قرار دهید.

What is htaccess ?

An .htaccess (hypertext access) file is a directory-level configuration file supported by several web servers, used for configuration of website-access issues, such as URL redirection, URL shortening, access control (for different web pages and files), and more. The ‘dot’ (period or full stop) before the file name makes it a hidden file in Unix-based environments.

A site could have more than one .htaccess file, and the files are placed inside the web tree (i.e. inside directories and their sub-directories), and hence their other name distributed configuration files.

.htaccess files act as a subset of the server’s global configuration file (like httpd.conf) for the directory that they are in, or all sub-directories.

The original purpose of .htaccess—reflected in its name—was to allow per-directory access control by, for example, requiring a password to access World Wide Web content. More commonly, however, the .htaccess files define or override many other configuration settings such as content type, character set, Common Gateway Interface handlers, etc.

Format and language:

.htaccess files are written in the Apache Directives variant of the Perl Compatible Regular Expressions (PCRE) language. Learning basic PCRE itself can help in mastering work with these files.

For historical reasons, the format of .htaccess files is a limited subset of the Apache HTTP server’s global configuration file httpd.conf even when used with web servers such as Oracle iPlanet Web Server and Zeus Web Server which have very different native global configuration files.