Hello all, finalizing, need advise on Security

Below from the Sparkle Community, are some suggestions that I read through, but what really needs to be applied?

"Put in Header:

Header set Content-Security-Policy: upgrade-insecure-requests

The one other thing I’ll had (which is also done in your cPanel) is force HTTPS by the function “Domain Redirect”. Although you have attached a SSL Certificate users that input (and even Google can do this) “http://www” or “www” can still rockup to your website with the “this site is insecure” message popping up which just sucks!

So redirect all www and non-www onto https://yourdomain.com

The web address in the general site settings can be changed to have a leading https://.

You also need the non secure site to redirect to the secure site, this varies depending on the web server and is currently not configured in Sparkle also because of that.

For Apache web servers (the most common) you need to create a file named .htaccess in the root of your website, perhaps using the file manager of your web host or a third party FTP application. The file should contain the following:

RewriteEngine on

RewriteCond %{HTTPS} !=on

RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

This works with any domain name.

Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains; preload” env=HTTPS "


@jfmusic, This all happens on the hosting server so just for the record it has nothing to do with Sparkle other than Sparkle uploading html/CSS/javascript to the hosting server.

In most modern cPanels you can do a “permanent” 301 redirect and make sure that you have not only selected “www” and “http” but also “wildcard”. Doing it this way I have never had an issue! :slight_smile:

I did understand the Placement part of it, it was more a question of do I need to do it.

Thank you again, will do it.