HSTS | ww.wp.xz.cn

Resolved Amir
(@repenter)

10 years, 2 months ago

Hi 🙂
I am using your plugin and I have a question about HSTS. I have read about it in faq. But what is the general benefit of this option? and when should we use it?

Thanks

https://ww.wp.xz.cn/plugins/really-simple-ssl/

Viewing 6 replies - 1 through 6 (of 6 total)

Plugin Contributor Rogier Lankhorst
(@rogierlankhorst)

10 years, 2 months ago

HSTS forces all your visitors to view your site over SSL, and makes their browser remember it for a year afterwards.

So it makes your site more secure, and makes it harder to do a man in the middle attack.

If you want to keep the option open to revert back to http, don’t enable it, in all other case I would enable it.

Hope this helps!

Rogier

Thread Starter Amir
(@repenter)

10 years, 2 months ago

Hey Rogier
Sorry, I got another problem. Few days ago my developer installed this on my website and from that time gtmetrix and gwt can not open my site.

My website has not been optimized yet, but at least I could open it in gtmetrix and gwt, before.

My webhosting told me this:
Instead of changing in htaccesss, change the http to https inside the wordpress. The .htaccess method is adding load time to your site.

So is this correct? Did you have similar issue in the past?

Thanks

Thread Starter Amir
(@repenter)

10 years, 2 months ago

He also added:
we would suggest not forcing this redirect via .htaccess as WordPress has its own rewrite engine, using .htaccess adds load time to your page.

Do you agree with this? Can you guide me a bit?

Plugin Contributor Rogier Lankhorst
(@rogierlankhorst)

10 years, 2 months ago

Hi Amir,

In the siteurl as well as the homeurl the http is automatically changed to https when you activate Really Simple SSL.

You can always remove the .htaccess redirects, and enable “stop editing the .htaccess” in the plugin settings. Then you can check if that helps. But in my experience a .htaccess redirect is very fast. Besides, it only kicks in when a user requests the site on http.

Without the .htaccess the website is in some cases accessible over http, which is less secure.

Hope this helps.

Rogier

Thread Starter Amir
(@repenter)

10 years, 1 month ago

Hi Rogier
Sorry to bring this up again. I used this tutorial for switching to https:
https://www.keycdn.com/blog/http-to-https/

So in my htaccess I entered this code:

RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

And I noticed it’s similar to your plugin’s code:

RewriteCond %{HTTPS} !=on [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

I want to be sure are these equal? I can remove the other code?

Thanks

Plugin Contributor Rogier Lankhorst
(@rogierlankhorst)

10 years, 1 month ago

The effect of both lines of code is the same, so you can choose which one you like best 🙂

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘HSTS’ is closed to new replies.