由于生产中的 STS 规则，开发站点重定向到 https [英] Dev site redirected to https because of STS rule in production

问题描述

我们已在生产中激活HTTP 严格传输安全.它运作良好.但是现在想用子域开发的时候，网站自动重定向到https:

we have activated HTTP Strict Transport Security in production. It works well. But now, when wanting to use a subdomain to develop, the website is automatically redirected to https:

https://dev.tokeeen.com/app_dev.php/my-habits

如果主机设置为 127.0.0.1 的事件

Event if the host is set to 127.0.0.1

127.0.0.1    dev.tokeeen.com

有什么办法可以避免这种行为吗?当然我不想强制主域的主机.

Is there something to avoid this behavior? Of course I don't want to force the host for the main domain.

推荐答案

您当前正在主站点上设置:

You are currently setting this on your main site:

Strict-Transport-Security   max-age=63072000; includeSubDomain

如果您更改此设置以删除 includeSubDomain 位，那么它将仅适用于您的顶级域，而不适用于开发子域:

If you change this to remove the includeSubDomain bit then it will only apply to your top level domain and not the dev sub domain:

Strict-Transport-Security   max-age=63072000;

然后您需要访问您的生产站点以加载此标头并覆盖浏览器缓存中的现有标头.

You then need to visit your production site to load this header and overwrite the existing one in your browser’s cache.

然而，这不太安全(例如，有人可以设置 www.tokeeen.com 并假装是您的站点，例如通过一些 DNS 操作).

However this is less secure (for example someone could set up www.tokeeen.com and pretend to be your site with a bit of DNS manipulation for example).

但老实说，你应该只在你的开发站点上使用 https.互联网正朝着 HTTPS 发展，许多新功能在普通 HTTP 下不起作用.此外，您正在开发的内容与您的生产站点不同，因此如果您包含 http://链接而不是 https://，例如，当您发布到生产站点时，您会突然看到此失败.

But to be honest you should just use https on you’re dev site. The Internet is moving towards HTTPS and many new features do not work under plain HTTP. Additionally what you are developing is not similar to your production site so if you include http:// links instead of https:// for example you’ll suddenly see this failing when you release to production.

您希望在您的网站上使用 LetsEncrypt，因此证书是免费的.帮自己一个忙，为您的开发子域再免费获得一个.

You look to use LetsEncrypt on your site so the cert is free. Do yourself a favour and just get another free one for your dev subdomain.

这篇关于由于生产中的 STS 规则，开发站点重定向到 https的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！