HTTP 严格传输安全(HSTS)

12 篇文章 0 订阅
8 篇文章 0 订阅
What is HSTS?
HTTPS (HTTP encrypted with SSL or TLS) is an essential part of the measures to secure traffic to a website, making it very difficult for an attacker to intercept, modify, or fake traffic between a user and the website.
When a user enters a web domain manually (providing the domain name without the  http://  or  https:// prefix) or follows a plain  http://  link, the first request to the website is sent unencrypted, using plain HTTP. Most secured websites immediately send back a redirect to upgrade the user to an HTTPS connection, but a well-placed attacker can mount a man-in-the-middle (MITM) attack to intercept the initial HTTP request and can control the user’s session from then on.
HSTS seeks to deal with the potential vulnerability by instructing the browser that a domain can only be accessed using HTTPS. Even if the user enters or follows a plain HTTP link, the browser strictly upgrades the connection to HTTPS:

Chrome developer tools illustrate how an HSTS policy
generates an internal redirect to upgrade HTTP to HTTPS

How Does HSTS Work?
An HSTS policy is published by sending the following HTTP response header from secure (HTTPS) websites:
Strict-Transport-Security: max-age=31536000
When a browser sees this header from an HTTPS website, it “learns” that this domain must only be accessed using HTTPS (SSL or TLS). It caches this information for the  max-age  period (typically 31,536,000 seconds, equal to about 1 year).
The optional  includeSubDomains  parameter tells the browser that the HSTS policy also applies to all subdomains of the current domain.
Strict-Transport-Security: max-age=31536000; includeSubDomains
For example, the HTML response for  https://www.example.com  can include a request to a resource from  https://example.com , to make sure that HSTS is set for all subdomains of  example.com .


Read More
For more details about HSTS, check out the following resources:
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值