I’m using basic auth where the user sends their username an password in the header. These requests will be done over HTTPS for security (since the password would be in plain text otherwise). If the user accidentally makes a request via HTTP, is there a way in nginx that I can close the connection before they send their authorization header? I’m concerned if I simply redirect them to HTTPS, their password will have still be sent in plain text for the first request.
This is what Strict Transport Security is for.
Add this in the appropriate
add_header Strict-Transport-Security max-age=315360000;
This will instruct web browsers, once they have visited your site at least once, to never attempt to visit it again (within the number of seconds specified by
max-age) without using HTTPS.
The time you specify in
max-age should be at least as long as the duration of any cookies you provide the user.
Note that you must only serve this header on HTTPS responses, and that to complete the loop you should redirect any HTTP requests to the equivalent HTTPS URL.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.