Extremely Serious

Month: June 2017

HTTP Strict Transport Security (HSTS)

Have you experience something that when you access a website it will always try to use the HTTPS scheme. This can happen because of the following reason:

The server requests a redirect to an https scheme.

Or

The browser receives an Strict-Transport-Security (STS) header .

In our case, I am talking about the second one. With the advent of Let's Encrypt CA, everybody now can have a free SSL certificate if we like that normally lasts for 3-months. To make it longer than that, just use or create a script that will do the automatic renewal of our certificate.

The server can tell the browser to always use HTTPS for a period of time using HSTS.

HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

We can observe HSTS in action using chrome via the developer tools. If you access a website via HTTP and we can notice from the picture at the bottom that there's an internal redirect going-on (i.e. 307 Internal Redirect). This is not a redirect request coming from the server but from the browser itself.  Another clue is the existence of Non-Authoritative-Reason : HSTS header.

The Upgrade-Insecure-Request header is telling the server that we prefer the secured content to be served. Thus if our websites contains a mixture of HTTP and HTTPS artifacts (e.g. CSS, Javascript), everything will be served as HTTPS.

Related Post
CLEARING DOMAIN HSTS IN CHROME

Windows Command Output to Clipboard

Sometimes it is useful to get the output of a command and paste it to a text editor. For this we can use piping and the clip (i.e. sends the output to Windows clipboard) command.

Example:

If we go to any directory and run the tree command but it returns a very long output that exceeds the screen. We can redirect the output to Windows clipboard temporarily then paste it to a text editor.

  1. Open a command terminal.
  1. Try to run the following tree command.

%USERPROFILE%>tree

Where %USERPROFILE% is normally resolves to our local home directory.

The output might not fit to command terminal screen.

  1. Try redirecting it to a Windows clipboard with the following command:

%USERPROFILE%>tree | clip

You will see no output because it is directed to a Windows clipboard.

  1. Open a text editor of our choice (or anything where we wanted to paste the output).

Check if you can confirm the last entries from step 2 exists to our pasted output.

SSL Secured WordPress on Seagate Personal Cloud

    1. Administrator Login on your Seagate Personal Cloud.
    2. Install WordPress application.
    3. Access the newly installed WordPress application.
    4. Setup the user information of the first user (i.e. admin by default) of WordPress.
    5. Update the the General Settings with the following:
      FieldValue
      WordPress Address (URL)https://<valid-url>/apps/wordpress
      Site Address (URL)https://<valid-url>/apps/wordpress
    6. Add the SSL Insecure Content Fixer plugin.
    7. Setup the SSL Insecure Content Fixer to have the following:
      FieldValue
      Fix insecure contentCapture All
      HTTPS detectionunable to detect HTTPS