301 .htaccess中的重定向和HSTS [英] 301 Redirect and HSTS in .htaccess
问题描述
我已将网站更改为https并在.htaccess中设置了重定向。但我也设置了严格的运输安全。是必要的还是有用的?
I've changed a site to https and have set up a redirect in .htaccess. But I've also set Strict Transport Security. Are both necessary or useful?
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=16070400"
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
</IfModule>
干杯
推荐答案
重定向告诉进入 http://www.example.com 的用户转到 https://www.example。 COM 。由于默认值为http,如果您不使用协议并只需输入 www.example.com ,那么您将转到 http:// www。 example.com 所以是的,你需要这个重定向。
A redirect tells people who enter http://www.example.com to go to https://www.example.com. Since the default is http, if you leave off the protocol and just type www.example.com then you will go to http://www.example.com so yes you need this redirect.
虽然有一些问题。
首先,http是不安全的,可以被网络上的其他人读取和更改。这就是你应该使用https的原因。但是,由于http不安全,这意味着他们可以拦截您的重定向并让您保持http版本并继续拦截您的流量。或者将您重定向到 https://www.evilexample.com 。
First up http is insecure and can be read, and altered by other people on the network. That's the very reason you should use https. However, as http is insecure, that means they could intercept your redirect and keep you on http version and continue to intercept your traffic. Or alternatively redirect you to https://www.evilexample.com instead.
HTTP严格传输安全(或HSTS)是一种尝试解决此问题的安全机制。您的服务器告诉浏览器始终为该站点使用https。即使不输入协议(通常使用http),即使你 DO 也要将协议键入为http。
HTTP Strict Transport Security (or HSTS) is a security mechanism which attempts to address this issue. Your server tells the browser to ALWAYS use https for that site. Even if the don't type the protocol (when http would normally be used) and even if you DO type the protocol as http.
一旦浏览器为网站加载了HSTS,它甚至根本不会发送http请求,而是会自动将这些更改为https。这有几个好处:
Once a browser has loaded HSTS for a site it will not even send a http request at all and will automatically change these to https instead. This has several advantages:
- 它更安全,因为它无法截获。
- 它更快不会浪费时间向
http://www.example.com发送请求,只是为了告诉他们去https:// www。 example.com。 - 它可用于解决混合内容错误,因为http资源(仅针对该站点但未从其他站点加载)将自动更改如果你不小心包含了一个http源。内容安全策略的升级不安全请求可能是更好的解决方案,但HSTS仍提供基本版本。
- It's more secure as it cannot be intercepted.
- It's quicker as doesn't waste time sending a request to
http://www.example.comjust to be told to go tohttps://www.example.com. - It can be used to address mixed content errors as http resources (for that site only but not loaded from other sites) will automatically be changed if you accidentally include a http source. Content Security Policy's upgrade-insecure-requests is probably a better solution for that but HSTS still provides a basic version.
另外作为其他回答声明另一个单独的好处是,此设置还意味着浏览器不允许访问者点击此站点的证书错误,这增加了针对攻击的额外安全性。
Also as the other answer stated another separate benefit is that this setting also means browsers will not allow visitors to click through certificate errors for this site which adds extra security against attacks.
主要缺点是HSTS是这样的:
The main downsides of HSTS are that:
- 您的网站只需要https - 这似乎很明显但很容易错过http网站的部分内容。或者如果使用includeSubdomain选项,http上的子域名。
- 访问者需要首先访问该站点以获取HSTS策略,尽管您可以将其预加载到浏览器中,但这不是决定采取的可能。
- 浏览器支持尚未普及。即使它是搜索引擎使用的爬虫等也可能不会使用它。
所以希望这能解释为什么HSTS是一件好事,是你应该保留的东西。在重定向之上。
So hopefully that explains why HSTS is a good thing and is something you should keep. On top of the redirect.
这篇关于301 .htaccess中的重定向和HSTS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
