Configure HSTS

Having installed SSL on my forum a few months ago, I decided to look into HSTS last night thanks to this thread, and finally created an .htaccess file that worked ( not as easy as it sounds ).

Just now I saw the padlock still had insecure content, and via Chrome inspect element found it was simply one link on the index.php. When I took out the google search plugin, the insecure bit had vanished. I mention this because of the irony that old Google which has been shoving SSL on all of us, apparently can't just resolve http:// links to Google into https:// links automagically...

.

So I'm glad for this thread: mine was the cheapest about $4 a year from gogetsll ; but multi-domain costs about $15 a year. It's getting to be a necessary component of websiting now. I think it would be best for Danbooru...

Claverhouse said:

Just now I saw the padlock still had insecure content, and via Chrome inspect element found it was simply one link on the index.php. When I took out the google search plugin, the insecure bit had vanished. I mention this because of the irony that old Google which has been shoving SSL on all of us, apparently can't just resolve http:// links to Google into https:// links automagically...

Well, Google did “resolve” the HTTP link. It worked (albeit insecurely), didn’t it? Didn’t your site instruct visitors’ browsers to contact Google via HTTP? Google can’t really prevent that. The solution would be to change the script URL on your site (I’m guessing that that’s what it is) from http:// to https:// and everything should be dandy. If you already had changed it to that and the Google script made HTTP requests anyway... well, that would be weird, indeed.

This is kind of off-topic, though. Feel free to dm me if you have any questions.

evazion said:

• Add a http://insecure.donmai.us domain that doesn't use HSTS. If you really need to use HTTP, then you can opt-in to it explicitly by using this domain.

+1
The HTTPS-only flag on cookies sent via HTTPS is still required, though, because there will surely be some users handing out links to the insecure domain.

evazion said:

• Add a http://insecure.donmai.us domain that doesn't use HSTS. If you really need to use HTTP, then you can opt-in to it explicitly by using this domain.

Now that I think about it, it's actually a very decent compromise, since it's pretty much user explicitly specifying they want to use HTTP.

kittey said:

Well, Google did “resolve” the HTTP link. It worked (albeit insecurely), didn’t it? Didn’t your site instruct visitors’ browsers to contact Google via HTTP? Google can’t really prevent that.

I can't see why any requests to Google through http can't simply be changed on arrival to https.

The solution would be to change the script URL on your site (I’m guessing that that’s what it is) from http:// to https:// and everything should be dandy. If you already had changed it to that and the Google script made HTTP requests anyway... well, that would be weird, indeed.

The http request was in a vBulletin plug-in, MARCO's Google Search. I can alter templates and pages, but I can't edit plug-ins.

#

I'm still grateful to this thread for introducing me to HSTS.

I always wondered why Danbooru doesn’t just default to https from the beginning. Having to sign in again through http after signing in through https just to ensure I’m signed in no matter the security type of Danbooru I access is annoying.

HSTS has finally been deployed. This hopefully shouldn't pose problems for anyone, but if it does, you can use http://insecure.donmai.us.

evazion said:

HSTS has finally been deployed. This hopefully shouldn't pose problems for anyone, but if it does, you can use http://insecure.donmai.us.

I suppose this is why all my edits via the API suddenly started giving me 307 Temporary Redirect errors. Switching my program to HTTPS fixed it.

I was wondering what was going on. I'm on an older device, but everything was fine until tonight when collapseable menus were all open, and all translation notes were GONE. I tried insecure.donmai without logging in, but same result. Using a proxy somehow fixes it.

Is that some kind of bug, that notes/translations would be the only things lost, or do I just have to proxy this site now on this device? If translations worked and I just couldn't login due to security, I'd at least be able to still use the site the way I want for the most part. Using a proxy works for now I suppose as long as it keeps working, but I guess I just don't understand why notes and collapsing menus and other ...I assume CSS-related-things are affected, but things like images and login and being able to access the site at all aren't affected. *shrug*

RaisingK said:

I suppose this is why all my edits via the API suddenly started giving me 307 Temporary Redirect errors. Switching my program to HTTPS fixed it.

Yes, HTTP requests will now be redirected to HTTPS, so scripts should follow redirects if they don't already.

MAGNUS-8M said:

I was wondering what was going on. I'm on an older device, but everything was fine until tonight when collapseable menus were all open, and all translation notes were GONE. I tried insecure.donmai without logging in, but same result. Using a proxy somehow fixes it.

These are symptoms of the site's Javascript failing to load. If you can, press F12 to open your browser's developer tools, then go to the "Console" tab and take a screenshot of any errors that may be listed there (see here for a walkthrough of this process).

I'm not quite able to screenshot at the moment, maybe tomorrow. What I can see is ReferenceErrors on can't find variable $, jQuery, SSL Connect error, and something about CA Certificates. I have to go through a gate on this device to make that visible on another device, so I have to guess that it's reporting the actual problem and not something in between...

Does https://code.jquery.com/jquery-3.3.1.min.js load for you? Are you running Android 2.3 (aka Gingerbread) or lower?

Eh, I know this sounds stupid, but this is on a Wii U browser actually(I've been using it for catching up on Youtube at the end of the day while reading manga here because it can do both at the same time, and it's the best device I have for it... the other device I have has a messed up charge-jack that drains the battery faster if the plug isn't seated exactly perfect)...glancing around Google, it seemed like sites were saying it can do jQuery, but I dunno.

When I clicked that link you gave, it came up with an error asking if I trust it and whether to Allow or not... allowing it took me to a page with a bunch of code-text. That looks like it did the trick, because checking the site again, the CSS stuff and translations are worki-

Ahh. Huh. Well, I can fix this by using a bookmark for that code-page at the start of every night, then. Apparently because it can't find the certificate for that site, I have to manually visit that code-page in order for it to work by manually saying to Allow it... but because it's a gaming console, major-security changes like that are reset to default when the browser is reloaded later, so I have to manually reload it every time. After I allow it, it has a little red-X over a Lock-icon both on the code-page and Danbooru's pages, but I'm sure that's more their way of covering themselves than it actually being bad.

But yeah, it might be an extra step, but that will definitely help for hopefully as long as it works then, thanks!

I attempted to sign in on the unencrypted server however a session was not created, so has making a session been disabled? If not, it should be. And there shouldn't even be a field to enter login credentials, since a login could be intercepted even if it it's disabled.

Also on for encrypted parts of the site, the 'Sign in securely' should be removed when it's only possible to sign in through the encrypted site.