The Strict-Transport-Security (HSTS) header forces browsers to always use HTTPS. Without it, attackers may intercept traffic during HTTP redirects and perform man-in-the-middle attacks.
Enable HSTS on all pages to ensure browsers automatically switch HTTP to HTTPS.
Best practice:
Strict-Transport-Security: max-age=31536000; includeSubDomains
Nginx:
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains" always;
Apache:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Content Sniffing
Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...
Content Sniffing
Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...
Content Sniffing
Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...
Content Sniffing
Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...
