This is similar to a few other topics, but broader.
The Dreamhost new site hosting screen presents a variety of security options, most of which are enabled by default (which is great!). Unfortunately, arguably the most critical one is not enabled by default – turning on HTTPS. Worse, even if the customer checks the HTTPS box, he’s still left with a site in an insecure state, until he does some .htaccess hacking.
Dreamhost should automate the features that currently require .htaccess hacking (as they do with adding/removing “www”), and change the default settings so that a site configured with the defaults will be in a good security posture.
- At a minimum:
- Enable HTTPS by default
- Set up an automatic redirect from “http:” URLs to the corresponding “https:” URLs
- Bonus points:
The points under “at a minimum” really are the minimum required for a site to be in a secure posture, and they should be enabled by default – really there’s no excuse for a modern website not to take these steps.