春季启动:不发送HSTS标头 [英] Spring boot: Do not send HSTS header

问题描述

在开发环境中，我遇到了一个问题，即我的浏览器(Yandex)将OPTIONS请求重定向(307)到URL的https版本.由于我们没有设置SSL，因此请求失败，并显示错误Response for preflight is invalid (redirect).

In a dev environment I have the problem that my browser (Yandex) redirects (307) an OPTIONS request to the https version of the URL. As we don't have SSL set up the request then fails with the error Response for preflight is invalid (redirect).

推荐答案

如果未设置HTTPS，则不应读取HSTS值-浏览器必须忽略通过未加密的HTTP连接发送的HSTS.

If you don’t have HTTPS set up then the HSTS value should never be read - browsers must ignore HSTS sent over an unencrypted HTTP connection.

如果您曾经拥有HTTPS，但现在却不再使用HTTPS(或者如果您在某些域/页面上拥有HTTPS)，则您的浏览器可能已经缓存了HSTS设置，以获取上一次浏览器设置的最大年龄值读取标题.您需要在浏览器中清除它.如何执行此操作因浏览器而异，但是在所有浏览器中都可以使用的更简单的方法之一是像您一样，发布一个最大长度为0的新HSTS标头，然后通过HTTPS访问页面(而不是未加密的页面) HTTP).显然，这要求您进行HTTPS设置，而您却说没有?在所有浏览器都为所有受影响的域获得新设置之后，您就可以完全停止发布该HSTS标头.

If you once did have HTTPS but now no longer do (or if you have HTTPS on some of your domains/pages), then your browser may have cached the HSTS setting for whatever max-age value was set when the browser last read the header. You would need to clear this in your browser. How to do this varies from browser to browser, but one of the easier ways that works in all browsers is to publish a new HSTS header with a max-age of 0 like you have done and then visit a page over HTTPS (not over unencrypted HTTP). This obviously requires you to have a HTTPS setup which you say you do not have? After all your browsers all have got the new setting for all affected domains, you can then stop publishing that HSTS header completely.

跳过重置步骤并仅在浏览器缓存了先前版本时关闭标头将无法正常工作-至少要等到浏览器的缓存版本在最大使用时间之后到期为止.

Skipping the reset step and just turning off the header when the browser has a previous version cached will not work - at least until the browser’s cached version expires after the max-age time.

这篇关于春季启动:不发送HSTS标头的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！