HSTS vs RewriteRule

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












I've recently read that HSTS is designed to avoid some of the vulnerabilities associated with htaccess redirects to force HTTPS, because the browser can be made to ignore them. That said, many of our websites force HTTPS via the following RewriteRule:



RewriteEngine On 
RewriteCond %HTTPS off
RewriteRule ^(.*)$ https://%HTTP_HOST%REQUEST_URI [L,R=301]


My question is: are RewriteRules subject to the same general vulnerability as redirects, or are they a comparably safe alternative to HSTS?










share|improve this question

























    up vote
    1
    down vote

    favorite












    I've recently read that HSTS is designed to avoid some of the vulnerabilities associated with htaccess redirects to force HTTPS, because the browser can be made to ignore them. That said, many of our websites force HTTPS via the following RewriteRule:



    RewriteEngine On 
    RewriteCond %HTTPS off
    RewriteRule ^(.*)$ https://%HTTP_HOST%REQUEST_URI [L,R=301]


    My question is: are RewriteRules subject to the same general vulnerability as redirects, or are they a comparably safe alternative to HSTS?










    share|improve this question























      up vote
      1
      down vote

      favorite









      up vote
      1
      down vote

      favorite











      I've recently read that HSTS is designed to avoid some of the vulnerabilities associated with htaccess redirects to force HTTPS, because the browser can be made to ignore them. That said, many of our websites force HTTPS via the following RewriteRule:



      RewriteEngine On 
      RewriteCond %HTTPS off
      RewriteRule ^(.*)$ https://%HTTP_HOST%REQUEST_URI [L,R=301]


      My question is: are RewriteRules subject to the same general vulnerability as redirects, or are they a comparably safe alternative to HSTS?










      share|improve this question













      I've recently read that HSTS is designed to avoid some of the vulnerabilities associated with htaccess redirects to force HTTPS, because the browser can be made to ignore them. That said, many of our websites force HTTPS via the following RewriteRule:



      RewriteEngine On 
      RewriteCond %HTTPS off
      RewriteRule ^(.*)$ https://%HTTP_HOST%REQUEST_URI [L,R=301]


      My question is: are RewriteRules subject to the same general vulnerability as redirects, or are they a comparably safe alternative to HSTS?







      tls hsts htaccess






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked 4 hours ago









      Nosajimiki

      1586




      1586




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          5
          down vote



          accepted










          No, a rewrite rule is still vulnerable to attacks like sslstrip.



          If you look at the documentation or try it out, you'll see that your rewrite rule is actually creating a redirect.






          share|improve this answer




















            Your Answer








            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "162"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            noCode: true, onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f196863%2fhsts-vs-rewriterule%23new-answer', 'question_page');

            );

            Post as a guest






























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            5
            down vote



            accepted










            No, a rewrite rule is still vulnerable to attacks like sslstrip.



            If you look at the documentation or try it out, you'll see that your rewrite rule is actually creating a redirect.






            share|improve this answer
























              up vote
              5
              down vote



              accepted










              No, a rewrite rule is still vulnerable to attacks like sslstrip.



              If you look at the documentation or try it out, you'll see that your rewrite rule is actually creating a redirect.






              share|improve this answer






















                up vote
                5
                down vote



                accepted







                up vote
                5
                down vote



                accepted






                No, a rewrite rule is still vulnerable to attacks like sslstrip.



                If you look at the documentation or try it out, you'll see that your rewrite rule is actually creating a redirect.






                share|improve this answer












                No, a rewrite rule is still vulnerable to attacks like sslstrip.



                If you look at the documentation or try it out, you'll see that your rewrite rule is actually creating a redirect.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered 4 hours ago









                AndrolGenhald

                8,03941728




                8,03941728



























                     

                    draft saved


                    draft discarded















































                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f196863%2fhsts-vs-rewriterule%23new-answer', 'question_page');

                    );

                    Post as a guest













































































                    Comments

                    Popular posts from this blog

                    What does second last employer means? [closed]

                    Installing NextGIS Connect into QGIS 3?

                    One-line joke