ttf和woff文件未使用HSTS [英] ttf and woff files are not using the HSTS
问题描述
在我的项目中,启用了HSTS.因此,如果有人尝试通过HTTP使用该站点,那么它将重定向到HTTPS.
In my project, HSTS is enabled. So if someone is tryig to use the site using the HTTP then it redirects to HTTPS.
在安全扫描之后,据报告ttf,woff和woff2文件正在忽略HSTS.
After the Security scan, it is reported that ttf, woff and woff2 files are ignoring the HSTS.
在Google Crome上,如果我尝试使用URL以下,则它将重定向到HTTPS:
On Google Crome if i am trying below URL then it redirects to HTTPS:
http://example.com/backend/web/lib/roboto/Roboto-Light.woff2 然后
重定向到
https://example.com/backend/web/lib/roboto/Roboto-Light.woff2
如果我在Firefox上尝试相同的操作,那么它只是通过HTTP下载了Roboto-Light.woff2文件,而不是重定向到HTTPS.
If i try same thing on Firefox then it just downloads the Roboto-Light.woff2 file over HTTP instead of redirecting to HTTPS.
如果我在谷歌浏览器和Firefox上都尝试使用以下URL,则它只会下载文件.
If i am trying below URL on both google Chrome and Firefox it just downloads the file.
http://example.com/backend/web/lib/roboto/Roboto-Black.ttf
那我该怎么做才能解决此问题?
So what should i do to fix this issue?
访问以下URL后的网络日志:
Network log after accessing the below URL:
http://example.com/backend/web/lib/roboto/Roboto-Black.ttf
似乎第一个文件是通过访问HTTP URL加载的.但是,不确定在浏览器的地址栏中未更新https的内容.
It seems that first file is being loaded by visiting the HTTP URL. But the https one not being updated in Address Bar of browser but not sure.
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ServerName example.com
RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} ^http$
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
#RewriteCond %{HTTPS} !=on
#RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
RewriteRule .* - [F]
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
推荐答案
您需要返回并询问安全扫描人员为什么他们认为是这种情况.
You need to go back and ask the security scan people why they think this is the case.
您清楚地表明已为字体文件设置了HSTS. 您所在的区域还表明您出于HSTS原因正确显示了307内部重定向.
You are clearly showing that HSTS is being set for the font files. You area also showing that you are correctly showing the 307 internal redirect for HSTS reasons.
这就是它应该起作用的方式.您在Chrome的网络标签中收到两个请求(其他浏览器可能有所不同):
This is the way it's supposed to work. You get two requests in Chrome's network tab (other browsers may be different):
- 虚假的307响应,将请求从HTTP升级到HTTPS.这是由浏览器创建的,HTTP请求永远不会到达服务器.因此,为什么我称其为假"共鸣.
- 通过HTTPS发送的实际请求.
下载字体后,很难确定是通过HTTPS下载的,除非查看网络"标签-很好.
As fonts are downloaded it's difficult to tell that this was downloaded over HTTPS except by looking in the network tab - but that's fine.
如果我在Firefox上尝试相同的操作,那么它只是通过HTTP下载了Roboto-Light.woff2文件,而不是重定向到HTTPS.
If i try same thing on Firefox then it just downloads the Roboto-Light.woff2 file over HTTP instead of redirecting to HTTPS.
您怎么知道的?您确定已通过HTTPS访问该站点以获取HSTS标头吗?第一个请求很可能是通过HTTP发出的(尽管您已经有了标准的重定向,因此应该将其重定向到HTTPS然后下载),但是在此之后,它应该在发送请求之前自动重定向.
How do you know this? Are you sure you have visited the site over HTTPS to get the HSTS header? The first request may well be over HTTP (though you have a standard redirect in place so this should redirect to HTTPS and then download), but after that it should auto redirect BEFORE the request is sent.
如果我在谷歌浏览器和Firefox上都尝试使用以下URL,则它只会下载文件.
If i am trying below URL on both google Chrome and Firefox it just downloads the file.
可能是这样.但是重定向之后.
It probably does. But after a redirect.
似乎第一个文件是通过访问HTTP URL加载的.但是,不确定在浏览器的地址栏中未更新https的内容.
It seems that first file is being loaded by visiting the HTTP URL. But the https one not being updated in Address Bar of browser but not sure.
否,如前所述,第一个请求是虚拟请求.第二个是实际发送到浏览器的实际请求.字体文件被立即下载后,它对URL栏没有任何作用.
No, as discussed the first one is a dummy request. The second is the real request which is actually sent to the browser. As the font file is downloaded immediately it doesn't do anything with the URL bar.
这篇关于ttf和woff文件未使用HSTS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
