HSTS vs RewriteRule

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












I've recently read that HSTS is designed to avoid some of the vulnerabilities associated with htaccess redirects to force HTTPS, because the browser can be made to ignore them. That said, many of our websites force HTTPS via the following RewriteRule: 



RewriteEngine On 
RewriteCond %HTTPS off
RewriteRule ^(.*)$ https://%HTTP_HOST%REQUEST_URI [L,R=301]


My question is: are RewriteRules subject to the same general vulnerability as redirects, or are they a comparably safe alternative to HSTS?






tls hsts htaccess







share|improve this question

























    up vote
    1
    down vote

    favorite












    I've recently read that HSTS is designed to avoid some of the vulnerabilities associated with htaccess redirects to force HTTPS, because the browser can be made to ignore them. That said, many of our websites force HTTPS via the following RewriteRule: 



    RewriteEngine On 
    RewriteCond %HTTPS off
    RewriteRule ^(.*)$ https://%HTTP_HOST%REQUEST_URI [L,R=301]


    My question is: are RewriteRules subject to the same general vulnerability as redirects, or are they a comparably safe alternative to HSTS?






    tls hsts htaccess







    share|improve this question























      up vote
      1
      down vote

      favorite









      up vote
      1
      down vote

      favorite











      I've recently read that HSTS is designed to avoid some of the vulnerabilities associated with htaccess redirects to force HTTPS, because the browser can be made to ignore them. That said, many of our websites force HTTPS via the following RewriteRule: 



      RewriteEngine On 
      RewriteCond %HTTPS off
      RewriteRule ^(.*)$ https://%HTTP_HOST%REQUEST_URI [L,R=301]


      My question is: are RewriteRules subject to the same general vulnerability as redirects, or are they a comparably safe alternative to HSTS?






      tls hsts htaccess







      share|improve this question













      I've recently read that HSTS is designed to avoid some of the vulnerabilities associated with htaccess redirects to force HTTPS, because the browser can be made to ignore them. That said, many of our websites force HTTPS via the following RewriteRule: 



      RewriteEngine On 
      RewriteCond %HTTPS off
      RewriteRule ^(.*)$ https://%HTTP_HOST%REQUEST_URI [L,R=301]


      My question is: are RewriteRules subject to the same general vulnerability as redirects, or are they a comparably safe alternative to HSTS?






      tls hsts htaccess




      tls hsts htaccess






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked 4 hours ago









      Nosajimiki

      1586




      1586




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          5
          down vote



          accepted










          No, a rewrite rule is still vulnerable to attacks like sslstrip.



          If you look at the documentation or try it out, you'll see that your rewrite rule is actually creating a redirect.






          share|improve this answer




















            Your Answer








            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "162"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            noCode: true, onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f196863%2fhsts-vs-rewriterule%23new-answer', 'question_page');

            );

            Post as a guest

















            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            5
            down vote



            accepted










            No, a rewrite rule is still vulnerable to attacks like sslstrip.



            If you look at the documentation or try it out, you'll see that your rewrite rule is actually creating a redirect.






            share|improve this answer
























              up vote
              5
              down vote



              accepted










              No, a rewrite rule is still vulnerable to attacks like sslstrip.



              If you look at the documentation or try it out, you'll see that your rewrite rule is actually creating a redirect.






              share|improve this answer






















                up vote
                5
                down vote



                accepted







                up vote
                5
                down vote



                accepted






                No, a rewrite rule is still vulnerable to attacks like sslstrip.



                If you look at the documentation or try it out, you'll see that your rewrite rule is actually creating a redirect.






                share|improve this answer












                No, a rewrite rule is still vulnerable to attacks like sslstrip.



                If you look at the documentation or try it out, you'll see that your rewrite rule is actually creating a redirect.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered 4 hours ago









                AndrolGenhald

                8,03941728




                8,03941728



























                     

                    draft saved


                    draft discarded















































                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f196863%2fhsts-vs-rewriterule%23new-answer', 'question_page');

                    );

                    Post as a guest
































































                    Comments

                    Post a Comment

                    Popular posts from this blog

                    Long meetings (6-7 hours a day): Being “babysat” by supervisor

                    Image
                    Clash Royale CLAN TAG #URR8PPP .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0; up vote 31 down vote favorite 4 I hold a PhD in mechanical engineering with a 7 year background in self-guided, self-paced research including 2 years as a graduate level course instructor and a subject matter expert for various engineering projects in a university setting in the United States. For the last 10-11 months, I am working in a research industry in France where my task is to debug C++ spaghetti code written over a period of several years by my current supervisor. It is a team of 2: just I and my supervisor. Diurnally, I am posed with a "bug of the day" to get out of this C++ code. My supervisor generally gives me about 15-30 minutes to solve it and then accosts me about whether or not the task is completed and then rinses and repeats this until the end of the day. Off-late, my supervisor has been holding 6-7 hour long "meetin
                    Read more

                    Is the Concept of Multiple Fantasy Races Scientifically Flawed? [closed]

                    Image
                    Clash Royale CLAN TAG #URR8PPP up vote 2 down vote favorite Many fantasy worlds have multiple humanoid species (elves, orcs, humans, etc) living in the same world, in addition to that, they often have the ability to interbreed. And I can't help but question their believability... fantasy-races reproduction interspecies-relations share | improve this question edited Aug 9 at 14:46 Michael Kjörling ♦ 21.1k 10 85 161 asked Aug 9 at 13:13 Chlodio 118 6 closed as unclear what you're asking by MichaelK, Gryphon, John, Vincent, Frostfyre Aug 9 at 15:25 Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question. 3 Stack Exchange exist to
                    Read more

                    Confectionery

                    Image
                    Prepared foods made with a lot of sugar or other cabohydrates "Sweetmeat" redirects here. For the racehorse, see Sweetmeat (horse). Not to be confused with Sweetbread. This Kransekake is a traditional Scandinavian baker's confection. Confectionery is the art of making confections , which are food items that are rich in sugar and carbohydrates. Exact definitions are difficult. [1] In general, though, confectionery is divided into two broad and somewhat overlapping categories, bakers' confections and sugar confections. [2] Bakers' confectionery, also called flour confections , includes principally sweet pastries, cakes, and similar baked goods. Sugar confectionery includes candies ( sweets in British English), candied nuts, chocolates, chewing gum, bubble gum, pastillage, and other confections that are made primarily of sugar. In some cases, chocolate confections (confections made of chocolate) are treated as a separate category, as are sugar-free versions of
                    Read more