After introducing Perfect Forward Secrecy, the security level of 4D Web server has been increased again with the support of HTTP Strict transport Security (HSTS). Henceforth, 4D Web server is compliant with the very latest security protocols. Simply upgrade to 4D v17 and enable HSTS to get the A+ ranking (the highest level) from SSL Labs for your web sites!
HTTPS protocol is used to secure communications between a client and server. In a world where your clients can acces your site via connections to public WiFi in an airport or at a coffee shop, it’s very important to require your clients’ browsers to use HTTPS. To do so, just activate the new HSTS feature on your 4D Web server!
HSTS allows web servers to declare that browsers should only interact with it via secure HTTPS connections. Once activated, 4D Web server will automatically add HSTS-related information to all of your response headers.
When a browser receives the 4D Web server’s initial response with the HSTS information, it will record it. From that point on, any future HTTP requests will automatically be transformed to HTTPS. And you can specify the length of time for the browser to store this information with the Web HSTS max age option.
// The time that the browser should remember that the site is only to be accessed using HTTPS.
WEB SET OPTION(Web HSTS max age;25778800)
// Enable HSTS on the 4D Web server
WEB SET OPTION(Web HSTS enabled;1)
HTTP and HTTPS management
In addition to the Web HSTS max age option, two other options have been added to WEB SET OPTION command so you can programmatically enable / disable HTTP or HTTPS on your 4D Web server.
// Disable HTTP on your 4D Web server
WEB SET OPTION(Web HTTP enabled;0)
// Enable HTTPS on your 4D Web server
WEB SET OPTION(Web HTTPS enabled;1)
The option to enable or disable HTTP has also been added to the Database Settings in the Web/Configuration page.