如何禁用HTTP严格传输安全? [英] How to disable HTTP Strict Transport Security?
问题描述
我与 config.force_ssl = TRUE
Rails应用程序,但现在我不想SSL加密,但我的应用程序仍然重定向到https。我读这是Apache一个HTTP严格传输安全问题。如何禁用呢?
I had a Rails application with config.force_ssl = true
, but now I dont want SSL encryption, but my app is still redirecting to https. I read this is a HTTP Strict Transport Security problem on Apache. How can I disable it?
推荐答案
这不是与Apache的问题,而是与Rails的发送HSTS头的事实。
It's not a problem with Apache, but with the fact that Rails sends an HSTS header.
在Chrome浏览器中,您可以通过进入有关清除HSTS状态:净内部
,为的 ImperialViolet:HSTS UI在Chrome浏览器。您可能还需要清除缓存,因为 config.force_ssl = TRUE
还采用了301(永久)重定向。
In Chrome, you can clear the HSTS state by going into about:net-internals
, as described in ImperialViolet: HSTS UI in Chrome. You may also have to clear the cache, since config.force_ssl = true
also uses a 301 (permanent) redirection.
此外,根据这个答案,你也可以让你的应用程序发送的STS头,最大年龄= 0。在你的控制器:
In addition, according to this answer, you could also make your application send an STS header with max-age=0. In your controller:
response.headers["Strict-Transport-Security"] = 'max-age=0'
这篇关于如何禁用HTTP严格传输安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!