HSTS with nginx and Varnish

SSL is good. It’s not perfect, but it makes life harder for mass surveillance and all websites should be using it. Yes, I know this blog doesn’t – I’ll get around to it.

I upgraded one of my sites to use HSTS, which is an extension to enforce usage of SSL where it’s available. This effectively means that after the first request via HTTPS, the browser should remember that domain uses SSL and should make sure any subsequent requests are HTTPS. HTTP requests get redirected to HTTPS immediately. This is great – not only does it mean that you’re less likely to have clients making requests in the clear when they should be using SSL, but it means that SSL stripping attacks will be foiled. Continue reading HSTS with nginx and Varnish