Enable security by default

This is similar to a few other topics, but broader.

The Dreamhost new site hosting screen presents a variety of security options, most of which are enabled by default (which is great!). Unfortunately, arguably the most critical one is not enabled by default – turning on HTTPS. Worse, even if the customer checks the HTTPS box, he’s still left with a site in an insecure state, until he does some .htaccess hacking.

Dreamhost should automate the features that currently require .htaccess hacking (as they do with adding/removing “www”), and change the default settings so that a site configured with the defaults will be in a good security posture.

  • At a minimum:
    1. Enable HTTPS by default
    2. Set up an automatic redirect from “http:” URLs to the corresponding “https:” URLs
  • Bonus points:
    1. Emit HSTS headers
    2. Enable site owners to submit to the HSTS preload list
    3. Provision a CAA record for the hosted domain

The points under “at a minimum” really are the minimum required for a site to be in a secure posture, and they should be enabled by default – really there’s no excuse for a modern website not to take these steps.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.