Security Tip: Ensure Your App Requires HTTPS!

[Tip #96] Encryption is essential, but you can't just install a certificate and go about your day... Secure those cookies, redirect from HTTP, and HSTS FTW! 🎉

Security Tip: Ensure Your App Requires HTTPS!

Encryption is a critical part of being secure online, and when it comes to securing our own apps, one of the forms of encryption we need to care about is HTTPS. You need an encrypted connection between your users browser and your app, to keep your users (and your app!) safe.

However, you can't simply install a certificate and call it a job done. (Ok, technically, installing certificates IS simple, Thanks Let's Encrypt!, but hopefully you get the point.) Instead, you need to add a few more layers of security, because browsers (still) like to default to unencrypted HTTP connections, and if you end up on a compromised Wi-Fi network, you may be downgraded to an unencrypted HTTP connection!

You need to take the following steps to ensure your users don't end up on an unencrypted connection:

  1. Ensure your cookies have the Secure flag set.
    Either set SESSION_SECURE_COOKIE=true, or upgrade to the latest version of Laravel to get auto-secured cookies.
  2. Ensure your web server (i.e. nginx, Apache, etc), or proxy, load-balancer, etc always redirects HTTP to HTTPS.
    Ensure unencrypted HTTP requests never hit your app, so a valid HTTPS connection is required.
  3. If your app sees HTTP requests internally, to force Laravel to generate HTTPS URLs.
    Use URL::forceScheme('https'), or the new URL::forceHttps(). This is important if your proxy/load-balancer passes requests via HTTP to your app internally, so your app generates HTTPS links in emails, etc.
  4. Enable the Strict-Transport-Security (HSTS) header, and ideally get on the preload list!
    This ensures the users browser will require a HTTPS connection, which makes Downgrade or Person in the Middle (PitM) attacks significantly harder (or even impossible, if you get on the HSTS Preload list).

If you can add all of those layers, your app will be resistant to Downgrade and Person in the Middle (PitM) attacks, and your users will be safer.


Appendices

Found this security tip helpful? Don't forget to subscribe to receive new Security Tips each week, and upgrade to a premium subscription to receive monthly In Depth articles, or toss a coin in the tip jar.

Reach out if you're looking for a Laravel Security Audit and Penetration Test or a budget-friendly Security Review, and find me on the various socials through Pinkary. Finally, don't forget to check out Practical Laravel Security, my interactive security course.