This HTTP header will do:

Require all traffic to go through an SSL tunnel
Refuse connections with certificate isssues

By setting this http header you can force your website to use an SSL connection for all traffic and prevent users from clicking through a certificate issue on your website.

This header can help prevent man in the middle attacks, an attacker can remove the SSL tunnel (https to http) or use a custom signed certificate (most users would click through it anyway). By setting this http header your browser wouldn’t allow this connection because it requires SSL or because of the certificate issue. The attacker could just remove this header.

This header has a parameter, max-age, when set will instruct the browser to remember the settings for this header for x amount of seconds. If a user visits a website and the browser remembers the settings then they are not vulnerable to this attack.

Advertisements