如何仅在 HTTPS 上从 .htaccess 设置 HSTS 标头 [英] How to set HSTS header from .htaccess only on HTTPS

问题描述

我的 Web 应用程序在我控制的不同数量的主机上运行.为了避免更改每个虚拟主机的 Apache 配置，我在我的存储库中使用 .htaccess 文件添加了大部分配置，因此每个主机的基本设置只是几行.这也使得在部署新版本时更改配置成为可能.目前 .htaccess (un)sets headers, do some rewrite magic and control the caching of UA.

My web application runs on a different number of hosts that I control. To prevent the need to change the Apache config of each vhost, I add most of the config using .htaccess files in my repo so the basic setup of each host is just a couple of lines. This also makes it possible to change the config upon deploying a new version. Currently the .htaccess (un)sets headers, does some rewrite magic and controls the caching of the UA.

我想使用 .htaccess 在应用程序中启用 HSTS.只需设置标题就很容易:

I want to enable HSTS in the application using .htaccess. Just setting the header is easy:

Header always set Strict-Transport-Security "max-age=31536000"

但规范明确指出:HSTS 主机不得在通过非安全传输传输的 HTTP 响应中包含 STS 标头字段.".所以我不想在通过 HTTP 连接发送时发送标头.请参阅 https://datatracker.ietf.org/doc/html/draft-ietf-websec-strict-transport-sec-14 .

But the spec clearly states: "An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport.". So I don't want to send the header when sending it over HTTP connections. See https://datatracker.ietf.org/doc/html/draft-ietf-websec-strict-transport-sec-14 .

我尝试使用环境变量设置标题，但我卡在那里.任何人都知道如何做到这一点?

I tried to set the header using environment vars, but I got stuck there. Anyone that knows how to do that?

推荐答案

显然有一个可以轻松使用的 HTTPS 环境变量.对于有同样问题的人:

Apparently there is a HTTPS environment variable available that can be used easily. For people with the same question:

Header set Strict-Transport-Security "max-age=31536000" env=HTTPS

这篇关于如何仅在 HTTPS 上从 .htaccess 设置 HSTS 标头的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！