By using site services you agree to our Cookies Use. We and our partners operate globally and use cookies, including for analytics, personalisation, and ads.Accept
X

/How to protect the user data from the interception.

There are a many types of possible site attacks. Fortunately, the most of them are not actual when using modern content management systems, such as Wordpress. Today we will talk about the vulnerability that is presented in many sites.

Available Http.

When the user enters http://hotels.com via Wi-Fi in cafe, his credentials can be stolen.
When the user enters http://hotels.com via Wi-Fi in cafe, his credentials can be stolen.

Often, the site owners automatically redirect from a non-secured http connection to a secured one https. But before to receive a command to establish a secure connection, the user sends a request via an unprotected connection. And all the transmitted data is available for interception at this moment.

Server setup.

To prevent such attack, add a special setting to the configuration of your server. It will give the browser a command to remember that your site should be accessed only by https. When the browser receives this command, it will prevent any visit of your site via a non secured connection.

Nginx

Add the following line to your domain setup.

server {
    listen 443;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
}

This line should be only in the SSL connection section.

Apache

Add the following line to your virtual host setup.

<VirtualHost *:443>
    Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains”
</VirtualHost>

The line should be only in SSL connection section.

We have described the attack, which depends on the settings of the server software. This vulnerability is found in almost 95% of all websites. And from other attacks you will be protected by the timely updated software.

Check your site for issues

Only useful instructions