[英]301 Redirect and HSTS in .htaccess
I've changed a site to https and have set up a redirect in .htaccess. 我已经将网站更改为https并在.htaccess中设置了重定向。 But I've also set Strict Transport Security.
但我也设置了严格的运输安全。 Are both necessary or useful?
既有必要还是有用?
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=16070400"
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
</IfModule>
Cheers 干杯
A redirect tells people who enter http://www.example.com
to go to https://www.example.com
. 重定向会告知输入
http://www.example.com
用户访问https://www.example.com
。 Since the default is http, if you leave off the protocol and just type www.example.com
then you will go to http://www.example.com
so yes you need this redirect. 由于默认值为http,如果您不使用协议并只输入
www.example.com
那么您将转到http://www.example.com
因此您需要此重定向。
There's a few problems with this though. 但是这有一些问题。
First up http is insecure and can be read, and altered by other people on the network. 首先,http是不安全的,可以被网络上的其他人读取和更改。 That's the very reason you should use https.
这就是你应该使用https的原因。 However, as http is insecure, that means they could intercept your redirect and keep you on http version and continue to intercept your traffic.
但是,由于http不安全,这意味着他们可以拦截您的重定向并让您保持http版本并继续拦截您的流量。 Or alternatively redirect you to
https://www.evilexample.com
instead. 或者将您重定向到
https://www.evilexample.com
。
HTTP Strict Transport Security (or HSTS) is a security mechanism which attempts to address this issue. HTTP严格传输安全性(或HSTS)是一种尝试解决此问题的安全机制。 Your server tells the browser to ALWAYS use https for that site.
您的服务器告诉浏览器始终对该站点使用https。 Even if the don't type the protocol (when http would normally be used) and even if you DO type the protocol as http.
即使不输入协议(HTTP时,通常会使用),这样即使你键入协议为HTTP。
Once a browser has loaded HSTS for a site it will not even send a http request at all and will automatically change these to https instead. 一旦浏览器为网站加载了HSTS,它甚至根本不会发送http请求,而是会自动将这些更改为https。 This has several advantages:
这有几个好处:
http://www.example.com
just to be told to go to https://www.example.com
. http://www.example.com
发送请求只是为了被告知去https://www.example.com
。 Also as the other answer stated another separate benefit is that this setting also means browsers will not allow visitors to click through certificate errors for this site which adds extra security against attacks. 另外,另一个答案还说明了另一个好处是,此设置还意味着浏览器不允许访问者点击此站点的证书错误,从而增加了针对攻击的额外安全性。
The main downsides of HSTS are that: HSTS的主要缺点是:
So hopefully that explains why HSTS is a good thing and is something you should keep. 所以希望这可以解释为什么HSTS是一件好事而且是你应该保留的东西。 On top of the redirect.
在重定向之上。
Yes! 是! You should keep both of them.
你应该保留它们。 From OWASP docs , there're many benifits to use HSTS.
从OWASP文档来看,使用HSTS有很多好处。 Eg:
例如:
automatically redirects HTTP requests to HTTPS. 自动将HTTP请求重定向到HTTPS。
prevent user from overridding invalid certificate message. 防止用户覆盖无效的证书消息。
I think you should have a look on this documentation https://varvy.com/pagespeed/hsts.html which says: 我想你应该看看这个文档https://varvy.com/pagespeed/hsts.html ,它说:
It is basically like a 301 redirect, but at the browser level, rather than the webpage level. 它基本上像301重定向,但在浏览器级别,而不是网页级别。 It is superior to a 301 redirect as it can be implemented to always only use https, whereas 301 redirects are actually unsecure when first seen by a browser.
它优于301重定向,因为它可以实现为始终只使用https,而301重定向在浏览器第一次看到时实际上是不安全的。
After reading the documentation, you can decide about it. 阅读完文档后,您可以自行决定。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.