System - Security - Hacking

While redirecting all traffic to HTTPS is good, it may not completely prevent man-in-the-middle attacks. Thus administrators are encouraged to set the HTTP Strict Transport Security header, which instructs browsers to not allow any connection to using HTTP, and it attempts to prevent site visitors from bypassing invalid certificate warnings. This can be achieved by setting the following settings within the Apache VirtualHost file: <VirtualHost *:443>     ServerName example.com     Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" </VirtualHost> This example configuration will make all subdomains only accessible via HTTPS. If you have subdomains not accessible via HTTPS, remove  includeSubdomains; . Note: Require  mod_headers   extension in Apache. Using a long max-age is 1 year

To redirect all HTTP traffic to HTTPS administrators are encouraged to issue a permanent redirect using the 301 status code. When using Apache this can be achieved by a setting such as the following in the Apache VirtualHosts config: <VirtualHost *:80> ServerName example.com Redirect permanent / https://example.com/ </VirtualHost>