forced_ssl vs access control? about nelmiosecuritybundle HOT 7 CLOSED

access_control means you can't access the site over http AFAIK. This bundle will redirect all http pages to https, and protect your session cookie and optionally send HSTS headers that make things a lot more secure. It's not required for everything, depends what you do really.

from nelmiosecuritybundle.

Thanks.

from nelmiosecuritybundle.

I am using .htaccess to ensure https for my entire site:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Is that sufficient, or should I use use the forced_ssl option from this bundle as well? (I am not planning on using hsts)

from nelmiosecuritybundle.

If you don't want hsts that is pretty much equivalent yeah. You should usually do hsts though I think :)

from nelmiosecuritybundle.

Fair enough. The hsts header can also be added via .htaccess as well.

from nelmiosecuritybundle.

Oh of course, most of these can be done at the server level, but many don't know how or don't have the server config infrastructure to ensure it's done consistently, so having it done in the app can be valuable in some cases.

from nelmiosecuritybundle.

I see, thanks! I previously used the flexible_ssl option which was great. Now, I have the entire site using ssl so I am determining the need for this bundle.

from nelmiosecuritybundle.