Tech Tip: Implementing HTTP Strict Transport Security (HSTS) in 4D's Web Server
PRODUCT: 4D | VERSION: 16 | PLATFORM: Mac & Win
Published On: March 30, 2017
HTTP Strict Transport Security (HSTS) is a mechanism to help protect websites against protocol downgrades by declaring to browsers or other user agents should only interact with it via HTTPS connections and never using insecure HTTP protocol. HSTS is defined in RFC 6797.
Implementing HSTS in 4D is super easy!
All you need to do is add the HTTP Header response to your dynamic requests like this:
C_TEXT($vtCookie) $vtCookie:="Strict-Transport-Security: max-age=31536000" WEB SET HTTP HEADER($vtCookie) |
Now, the browser has been told to only use HTTPS when interacting with your page for the next 31,536,000 seconds (or one non leap year).
More options for HSTS are available and discussed on OWASP.
This can be applied to all requests by utilizing a web decoy folder.
See Also: