由于生产中的STS规则,开发站点重定向到https [英] Dev site redirected to https because of STS rule in production
问题描述
我们已激活生产中的HTTP严格传输安全。它运作良好。但现在,当想要使用子域进行开发时,网站会自动重定向到https:
https://dev.tokeeen.com/app_dev.php/my-habits
如果主机设置为127.0.0.1,则为事件
127.0.0.1 dev.tokeeen.com
有什么可以避免这种行为吗?当然我不想强制主域的主机。
您目前在主站点设置此项:
Strict-Transport-Security max-age = 63072000; includeSubDomain
如果更改此项以删除 includeSubDomain 位然后它只适用于您的顶级域而不是dev子域:
Strict-Transport-Security max-年龄= 63072000;
然后,您需要访问您的生产站点以加载此标头并覆盖浏览器缓存中的现有标头。
然而这不太安全(例如有人可能会设置www.tokeeen.com,假装是你的网站,例如有一些DNS操作)。 / p>
但说实话,你应该在你的开发网站上使用https。互联网正在向HTTPS和许多人转移新功能在普通HTTP下无效。此外,您正在开发的内容与您的生产站点不同,因此如果您包含http://链接而不是https://,例如,当您发布到生产环境时,您会突然看到此失败。
您希望在您的网站上使用LetsEncrypt,因此证书是免费的。帮自己一个忙,然后为你的开发子域获得另一个免费的。
we have activated HTTP Strict Transport Security in production. It works well. But now, when wanting to use a subdomain to develop, the website is automatically redirected to https:
Event if the host is set to 127.0.0.1
127.0.0.1 dev.tokeeen.com
Is there something to avoid this behavior? Of course I don't want to force the host for the main domain.
You are currently setting this on your main site:
Strict-Transport-Security max-age=63072000; includeSubDomain
If you change this to remove the includeSubDomain bit then it will only apply to your top level domain and not the dev sub domain:
Strict-Transport-Security max-age=63072000;
You then need to visit your production site to load this header and overwrite the existing one in your browser’s cache.
However this is less secure (for example someone could set up www.tokeeen.com and pretend to be your site with a bit of DNS manipulation for example).
But to be honest you should just use https on you’re dev site. The Internet is moving towards HTTPS and many new features do not work under plain HTTP. Additionally what you are developing is not similar to your production site so if you include http:// links instead of https:// for example you’ll suddenly see this failing when you release to production.
You look to use LetsEncrypt on your site so the cert is free. Do yourself a favour and just get another free one for your dev subdomain.
这篇关于由于生产中的STS规则,开发站点重定向到https的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
