如何禁用HTTP严格传输安全？ [英] How to disable HTTP Strict Transport Security?

问题描述

我与 config.force_ssl = TRUE Rails应用程序，但现在我不想SSL加密，但我的应用程序仍然重定向到https。我读这是Apache一个HTTP严格传输安全问题。如何禁用呢？

I had a Rails application with config.force_ssl = true, but now I dont want SSL encryption, but my app is still redirecting to https. I read this is a HTTP Strict Transport Security problem on Apache. How can I disable it?

推荐答案

这不是与Apache的问题，而是与Rails的发送HSTS头的事实。

It's not a problem with Apache, but with the fact that Rails sends an HSTS header.

在Chrome浏览器中，您可以通过进入有关清除HSTS状态：净内部，为的 ImperialViolet：HSTS UI在Chrome浏览器。您可能还需要清除缓存，因为 config.force_ssl = TRUE 还采用了301（永久）重定向。

In Chrome, you can clear the HSTS state by going into about:net-internals, as described in ImperialViolet: HSTS UI in Chrome. You may also have to clear the cache, since config.force_ssl = true also uses a 301 (permanent) redirection.

此外，根据这个答案，你也可以让你的应用程序发送的STS头，最大年龄= 0。在你的控制器：

In addition, according to this answer, you could also make your application send an STS header with max-age=0. In your controller:

response.headers["Strict-Transport-Security"] = 'max-age=0'

这篇关于如何禁用HTTP严格传输安全？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！