Tag: ssl

Categories
Web Development Web Server

Forcing a Website To HTTPS

With Dreamhost how providing free Let's Encrypt certificates, there's no reason not to set up a certificate and start running your site on a secure connection.

To force incoming connections to use the secure https protocol, you set your .htaccess file to rewrite http:// to https://.

The .htaccess file should be found in the root of your website, it may be hidden. You may find that the RewriteEngine On directive is already there, in which case it can be omitted.

Note: If the .htaccess file is not visible, you need to make it visible.  In CuteFTP (adapt these instructions for other FTP clients) right-click the website root folder, Select Filter, enable server side filtering, the enter the remote filter -L-a.  Alternatively you can right click the site in the CuteFTP Site Manager and apply the filter there.

Add the following near the top of the .htaccess file:

RewriteEngine ON
RewriteCond %{HTTPS} !=ON
RewriteRule ^ <a href="https://%25%7bHTTP_HOST%7d%25%7bREQUEST_URI%7d">https://%{HTTP_HOST}%{REQUEST_URI}</a> [L,R=301]

If you're having trouble with the secure padlock icon on your site, visit https://www.whynopadlock.com/ for some tips on how to clear up any issues blocking full encryption on your site

Reference: http://wiki.dreamhost.com/DreamPress#How_do_I_use_SSL_on_DreamPress.3F (Though this info didn't work without modification)

Categories
Security Web Development

Web Security

Some resources and notes regarding Web Application security:

Resources

Securing the Desktop

The first stage must surely be to protect the machines we're working from.  A good first step is to enable OpenDNS on your machine, or if on a home network enable it on your router to cover all machines on your network.  Within the settings of your network on OpenDNS, block access to common malware associated domains such as .ru, .cn and .nu unless you are likely to want to visit sites in those domains.

 Setting up SSL on a Web Server

If you're running a home web server, you'll want to consider enabling SSL on your server. This causes all traffic between the browser and the server to be encrypted when the HTTPS protocol is used.  Combined with a login system employing salted passwords, this will make your server reasonably safe. One note though, if you don't purchase an SSL certificate your visitors will be prompted that the certificate is untrusted when they visit your site using HTTPS.   To save the hundred dollars or so that may well be worth the inconvenience.  Users can tell the browser to accept the certificate as valid to stop the warnings.

This article gives a very good guide to the process of getting this set up on your server;

http://www3.ntu.edu.sg/home/ehchua/programming/howto/WampServer_HowTo.html