Web and Email security - two tips

[David Gibson]

Redirecting HTTP to HTTPS
The new BCA server offers the HTTPS protocol at no added cost. If you want to direct your website readers to an HTTPS URL put this short bit of code in the .htaccess file in your document root.

Code: Select all

RewriteEngine              on
RewriteCond %{HTTPS}       off
RewriteCond %{HTTP_HOST}   !^$
RewriteRule ^(.*)          https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

That says "If the URL is not an HTTPS protocol, and the hostname is not blank, then issue a "Redirect 301" (i.e. "permanent") instruction to the user's browser and Leave the list of rewrite commands".

Sending and receiving email securely
If you want to send and receive email securely, and you dont want the "fuss" of installing any encryption software, or learning how to use it, do bear in mind that if both the email sender and recipient are addresses on one of the BCA mail servers then mail between the two does not travel through the Internet. Provided both parties send and receive by logging into the BCA server securely, or are using secure webmail your email will remain secure. Note...

• "Securely" means that you are not using port 25 for SMTP, nor port 110 for POP3 - those are the traditional and non-secure ports.
• "logging in" means that you are not using mail forwarding to send incoming mail to your personal ISP; nor are you using your ISP for outgoing mail - you are making a direct connection from your email client to the BCA server). You will need to configure your email client specially to do this.
• "Secure webmail" means accessing your BCA email via a browser using an https:// protocol; and not via your email client. Note that you still need the sender and recipient's email to be hosted on a BCA server for it to remain secure.

Failing all that, you need to investigate how to send encrypted email. I found these URLs helpful for setting up Thunderbird... https://support.mozilla.org/en-US/kb/di ... g-messages and https://www.katescomment.com/how-to-enc ... underbird/

[David Gibson]

...and here is a tip from Matt Wire on forcing the WWW prefix to be dropped. Apparently, allowing both www and non-www URLs is "not helpful for SEO/analytics".

Code: Select all

RewriteCond %{HTTPS}       off
RewriteCond %{HTTP_HOST}   ^(?:www\.)?(.+)  [NC]
RewriteRule ^              https://%1%{REQUEST_URI}?debug=%{TIME} [R=301,L]

In the arcane syntax of Regular Expressions, that says: if the HTTP_HOST begins with "www." then drop that and capture everything after it; else capture the entire HTTP_HOST. Then form the URL as "https://" plus %1 [the first capture pattern of the preceding RewriteCond block] plus the REQUEST_URI string.

The bit afterwards, ?debug=%{TIME} is useful if youre debugging, as it forces each URL to be different, so your browser does not cache the URLs and thereby cause you hours of confusion.

The above code rewrites URLs like "www.mydomain.com" to "mydomain.com" and at the same time replaces "http://" with "https://". However, it does not rewrite "https://www.mydomain.com" to "https://mydomain.com" - that's left as an exercise for the reader.