如何在我的网站上实施HSTS [英] How to implement HSTS in my website

问题描述

我有一个网站(godaddy的域名，托管在hostgator中).当我手动更新证书时，我可以将我的网站重定向到https，但是它总是从Google搜索访问http.在网上搜索之后，我知道考虑到目标域上的 curl -i -L 结果，考虑到 Strict-Transport-Security:max-age = 15768000 需要，因为它将强制浏览器在https中打开网站.但是我对如何在我的网站上实现这一点感到困惑.

I've a website (domain from godaddy and hosted in hostgator). As I updated the certificates, manually, I can redirect my site to https, but it is always going to http from google search. After searching online, I got to know that Considering Strict-Transport-Security: max-age=15768000 as result of curl -i -L on target domain will work for my need as it will force a browser to open the website in https. But I'm confused about how to implement this to my website.

有人可以帮我吗?

推荐答案

不确定这是否适用于Stackoverflow.再一次，它涵盖了太多的主题，以至于它也不能很好地适合任何其他StackExchange网站.所以无论如何都会尝试回答.

Not sure this is right for Stackoverflow. Then again it covers so many topics that it doesn't fit nicely in any other StackExchange site either. So anyway will attempt to answer.

重定向.

我可以将我的网站重定向到https"是什么意思?您现在已经将设置麻烦的网站重定向到https了，所以您要这样做吗?还是可以同时访问http和https?如果是这样，即使用户设置了http，也要找出如何强制使用https.

What do you mean "I can redirect my site to https"? You should redirect your site to https now you've gone through the hassle of setting this up so are you doing it? Or are you able to access both http and https? If so find out how to force https even if the user sets up http.

这是通过Web服务器上的重定向规则设置的.不确定您是否可以直接访问您的配置(例如，如果使用Apache，则为.htaccess文件)，还是要求您的主机提供商为您设置此设置.

This is set up with a redirect rule on your web server. Not sure whether you have direct access to your config (e.g. .htaccess file if using Apache) or require your host provider to set this up for you.

Google搜索

关于Google搜索，一旦您设置了重定向，Google将需要一些时间来识别它并更新其搜索索引中的链接以显示页面的https版本.

Regarding Google Search, once you have the redirect set up, it will take some time for Google to recognise this and update the links in their search index to show the https version of the pages.

说有一些方法可以告诉Google以便加快流程:

Saying that there are ways you can tell Google about this to hurry up the process:

• 您是否强制重定向到https?否则，Google将根据多种因素决定显示哪个网站(http或https).
• 您是否拥有站点地图，并且已将这些链接更新为https?
• 您的任何页面的HTML中是否都有rel ="canonical"设置，并且设置为https版本吗?例如，如果您同时允许页面的http和https版本(不推荐)，则会告诉Google哪个是页面的真实版本.
• 您是否已在Google Search Console中注册了网站的https版本?如果是这样，那里是否有任何错误?您也可以在此处启动重新索引请求.
• 是否已将所有内部链接设置为https或更好的是相对链接.
• 您能否将所有外部链接更新为https而不是http.

HTTP严格传输安全性(HSTS)

这是一个高级主题，因此，除非您进一步了解它，否则真的不会推荐它.基本上，这是一个HTTP标头，您可以通过https与网页一起发送回网页，以告诉网络浏览器嘿，我是一个仅HTTPS站点.给我".

This is an advanced topic so really wouldn't recommend it until you understand it more. Basically it's a HTTP Header you send back with your webpage over https to tell web browsers "hey I'm a https only site. From now on automatically translate any http requests to https automatically before you even send them to me".

在重定向的基础上是一项很好的安全性，但至关重要的是，它不能替代对重定向的需求.首先需要将Redirecta发送到https，然后您的Web服务器才能发送HSTS HTTP标头.

It is a good security addition on top of redirects but crucially it does not replace the need for redirects. Redirecta need to be in place first to send it to https, at which point your web server can send the HSTS HTTP Header.

要进行设置，您需要像这样发送HTTP标头(但仅通过https请求发送).

To set it up you send a HTTP Header like this (but only over https requests).

Strict-Transport-Security "max-age=16070400"

这可以在您的网络服务器或php文件中设置，也可以通过其他任何方式发送HTTP标头.

This can be setup in your webserver, or in your php files or any other way you can send HTTP Headers.

请注意，这会阻止您的网站通过http进行访问，因此，如果您出于任何原因决定关闭https，那么您基本上已经在任何时间的最长使用期限内屏蔽了您的网站缓存了该设置的浏览器.

Be aware that this we'll prevent your site being available over http, so if you decide to turn off https for whatever reason, then you've basically blocked you're site for up to the max-age time for any browsers that have cached that setting.

有关HSTS的更多信息，请参见此处: .htaccess中的301重定向和HSTS

For more information on HSTS see here: 301 Redirect and HSTS in .htaccess

但是我真的不认为这就是您在这里寻找的东西.它告诉网络浏览器(例如Google Chrome)强制使用https，并且与搜索引擎(例如Google Search)无关，因为它们目前忽略了此标头.

But I really don't think that's what you are looking for here. It tells web browsers (like Google Chrome) to force https and is nothing to do with search engines (like Google Search) as, at present, they ignore this Header.

这篇关于如何在我的网站上实施HSTS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！