Premium required to enable HSTS

  • This app while offering an easy way to enable security features for https, but fundamentally fails in providing a secure practice by not providing HSTS too. To all the plugin users HSTS is merely extra parameters on the few lines this plugin applies.

    No security plugin should prevent enabling standard features built into web servers for profit. People should only pay for value add features that go beyond standard software. Do not support this behavior by installing this app.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Rogier Lankhorst

    (@rogierlankhorst)

    Well Jonathan, of course everybody can add HSTS themselves. And everybody can migrate the site to https themselves as well. But for a lot of users this plugin offers an easy way to do the migration, entirely for free. And for those users who do not want to or cannot edit stuff like the .htaccess file, the pro plugin will handle it for them. It’s up to users themselves if they go for the easy way with the plugin, or if they do it themselves.

    I’ve always taken care to offer a fully functional plugin, but I also think it more than reasonable to ask a small price for a premium plugin that offers more features and support. I think this is a great deal for everyone. All users get the free plugin, and an extensive knowledgebase (which is also open to everyone by the way). Users who want more features and/or support pay a little extra, and I get paid for the time I put in. I don’t see who loses here.

    The fact is: the premium plugin makes it possible for me to maintain and develop the free plugin. And I think you overlooked the fact that the premium offers much more than HSTS alone. Support is included, and a lot of work also has gone into the scan that checks for hotlinked images, hardcoded http links in css/js files and in resources on other servers.

    What I’d like to ask you: should developers work fulltime on their plugins and support for free?

    @wolfgang8741:

    Just put this to your .htacces:

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    Header set Strict-Transport-Security “max-age=31536000”

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Premium required to enable HSTS’ is closed to new replies.

Tags