如何只对HTTPS设置为从的.htaccess HSTS头 [英] How to set HSTS header from .htaccess only on HTTPS

问题描述

我的Web应用程序在不同的数字，我控制的主机上运行。为prevent需要更改每个虚拟主机的Apache的配置，我想补充的大部分配置中使用我的回购协议的.htaccess文件，以便每个主机的基本设置是只是一对夫妇行。这也使得能够在部署新版本更改配置。目前的.htaccess（UN）套头，做了一些改写魔术和控制UA的缓存。

My web application runs on a different number of hosts that I control. To prevent the need to change the Apache config of each vhost, I add most of the config using .htaccess files in my repo so the basic setup of each host is just a couple of lines. This also makes it possible to change the config upon deploying a new version. Currently the .htaccess (un)sets headers, does some rewrite magic and controls the caching of the UA.

我希望能够使用.htaccess中的应用HSTS。只需设置标题很简单：

I want to enable HSTS in the application using .htaccess. Just setting the header is easy:

Header always set Strict-Transport-Security "max-age=31536000"

不过，该规范明确规定：一个HSTS主机不能包括在传达过非安全传输的HTTP响应的STS头字段。所以，我不想通过HTTP连接发送时，它发送的头。请参阅<一href="http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-14">http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-14

我试着使用环境瓦尔设置标题，但我被困在那里。任何人都知道该怎么做？

I tried to set the header using environment vars, but I got stuck there. Anyone that knows how to do that?

推荐答案

显然有一个HTTPS环境变量可用，可以很容易地被使用。对于患有同样的问题：

Apparently there is a HTTPS environment variable available that can be used easily. For people with the same question:

Header set Strict-Transport-Security "max-age=31536000" env=HTTPS

这篇关于如何只对HTTPS设置为从的.htaccess HSTS头的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！