我已将网站更改为https并在.htaccess中设置了重定向。但我也设置了严格的运输安全。是必要的还是有用的?
I've changed a site to https and have set up a redirect in .htaccess. But I've also set Strict Transport Security. Are both necessary or useful?
<IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=16070400" </IfModule> <IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{HTTPS} off RewriteRule ^(.*)$ %{HTTP_HOST}/$1 [R=301,L] </IfModule>干杯
推荐答案重定向告诉进入 www.example 的用户转到 https://www.example。 COM 。由于默认值为http,如果您不使用协议并只需输入 www.example ,那么您将转到 http:// www。 example 所以是的,你需要这个重定向。
A redirect tells people who enter www.example to go to www.example. Since the default is http, if you leave off the protocol and just type www.example then you will go to www.example so yes you need this redirect.
虽然有一些问题。
首先,http是不安全的,可以被网络上的其他人读取和更改。这就是你应该使用https的原因。但是,由于http不安全,这意味着他们可以拦截您的重定向并让您保持http版本并继续拦截您的流量。或者将您重定向到 www.evilexample 。
First up http is insecure and can be read, and altered by other people on the network. That's the very reason you should use https. However, as http is insecure, that means they could intercept your redirect and keep you on http version and continue to intercept your traffic. Or alternatively redirect you to www.evilexample instead.
HTTP严格传输安全(或HSTS)是一种尝试解决此问题的安全机制。您的服务器告诉浏览器始终为该站点使用https。即使不输入协议(通常使用http),即使你 DO 也要将协议键入为http。
HTTP Strict Transport Security (or HSTS) is a security mechanism which attempts to address this issue. Your server tells the browser to ALWAYS use https for that site. Even if the don't type the protocol (when http would normally be used) and even if you DO type the protocol as http.
一旦浏览器为网站加载了HSTS,它甚至根本不会发送http请求,而是会自动将这些更改为https。这有几个好处:
Once a browser has loaded HSTS for a site it will not even send a http request at all and will automatically change these to https instead. This has several advantages:
另外作为其他回答声明另一个单独的好处是,此设置还意味着浏览器不允许访问者点击此站点的证书错误,这增加了针对攻击的额外安全性。
Also as the other answer stated another separate benefit is that this setting also means browsers will not allow visitors to click through certificate errors for this site which adds extra security against attacks.
主要缺点是HSTS是这样的:
The main downsides of HSTS are that:
所以希望这能解释为什么HSTS是一件好事,是你应该保留的东西。在重定向之上。
So hopefully that explains why HSTS is a good thing and is something you should keep. On top of the redirect.
更多推荐
301 .htaccess中的重定向和HSTS
发布评论