AnsweredAssumed Answered

Is HTTP Strict Transport Security still reasonable if http/80 protocol is disabled?

Question asked by j-mailor on Feb 1, 2014
Latest reply on Feb 7, 2014 by j-mailor

Hi,

I have manage to find a web page that has a "A+" grade on ssllabs.com/ssltest. I see this web page is supporting HTTP Strict Transport Security (= HSTS) https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

Just wondering on my web page using Apache 2.4.x with openssl 1.0.1e I have disabled http protocol on port 80 (added comment: #Listen 80 in httpd.conf Apache httpd file) and I have only 443 port with TLS trafic enabled (one of internal web servers that are accessed using a link from another web page - so no need for http/80 port to be enabled). Would I benefit of still enabling HSTS despide port http/80 is disable? Is there some threat that I can prevent using HSTS. Reading on Wikipedia (above link) I also see HSTS prevents man-in-the-middle attack in a way web browser prevents accepting self-signed certificated that may be offered by attacker. What are recommendations, should I bother to set-up HSTS on Apache or not?

warning.png

P.S. May I also suggest to move "Documentation" link from Summary section to bellow the Summary section and maybe just use white background instead of light-orange.

Thanks

Outcomes