如何只对HTTPS设置为从的.htaccess HSTS头 [英] How to set HSTS header from .htaccess only on HTTPS
问题描述
我的Web应用程序在不同的数字,我控制的主机上运行。为prevent需要更改每个虚拟主机的Apache的配置,我想补充的大部分配置中使用我的回购协议的.htaccess文件,以便每个主机的基本设置是只是一对夫妇行。这也使得能够在部署新版本更改配置。目前的.htaccess(UN)套头,做了一些改写魔术和控制UA的缓存。
My web application runs on a different number of hosts that I control. To prevent the need to change the Apache config of each vhost, I add most of the config using .htaccess files in my repo so the basic setup of each host is just a couple of lines. This also makes it possible to change the config upon deploying a new version. Currently the .htaccess (un)sets headers, does some rewrite magic and controls the caching of the UA.
我希望能够使用.htaccess中的应用HSTS。只需设置标题很简单:
I want to enable HSTS in the application using .htaccess. Just setting the header is easy:
Header always set Strict-Transport-Security "max-age=31536000"
不过,该规范明确规定:一个HSTS主机不能包括在传达过非安全传输的HTTP响应的STS头字段。所以,我不想通过HTTP连接发送时,它发送的头。请参阅<一href="http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-14">http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-14
我试着使用环境瓦尔设置标题,但我被困在那里。任何人都知道该怎么做?
I tried to set the header using environment vars, but I got stuck there. Anyone that knows how to do that?
推荐答案
显然有一个HTTPS环境变量可用,可以很容易地被使用。对于患有同样的问题:
Apparently there is a HTTPS environment variable available that can be used easily. For people with the same question:
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
这篇关于如何只对HTTPS设置为从的.htaccess HSTS头的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!