HTTP 严格传输安全（HSTS）

最新推荐文章于 2024-08-26 17:34:00 发布

阅读量4.3k

点赞数

分类专栏： nginx html/js/ajax 浏览器系统

本文链接：https://blog.csdn.net/buyaore_wo/article/details/72629741

版权

html/js/ajax 同时被 3 个专栏收录

15 篇文章 0 订阅

订阅专栏

nginx

12 篇文章 0 订阅

订阅专栏

浏览器

8 篇文章 0 订阅

订阅专栏

 
 What is HSTS? 

 
 HTTPS (HTTP encrypted with SSL or TLS) is an essential part of the measures to secure traffic to a website, making it very difficult for an attacker to intercept, modify, or fake traffic between a user and the website. 

 
 When a user enters a web domain manually (providing the domain name without the  
 http:// 
  or  
 https:// 
 prefix) or follows a plain  
 http:// 
  link, the first request to the website is sent unencrypted, using plain HTTP. Most secured websites immediately send back a redirect to upgrade the user to an HTTPS connection, but a well-placed attacker can mount a man-in-the-middle (MITM) attack to intercept the initial HTTP request and can control the user’s session from then on. 

 
 HSTS seeks to deal with the potential vulnerability by instructing the browser that a domain can only be accessed using HTTPS. Even if the user enters or follows a plain HTTP link, the browser strictly upgrades the connection to HTTPS: 

 
 Chrome developer tools illustrate how an HSTS policy 

 
 generates an internal redirect to upgrade HTTP to HTTPS 

 
 How Does HSTS Work? 

 
 An HSTS policy is published by sending the following HTTP response header from secure (HTTPS) websites: 

 
 Strict-Transport-Security: max-age=31536000 

 
 When a browser sees this header from an HTTPS website, it “learns” that this domain must only be accessed using HTTPS (SSL or TLS). It caches this information for the  
 max-age 
  period (typically 31,536,000 seconds, equal to about 1 year). 

 
 The optional  
 includeSubDomains 
  parameter tells the browser that the HSTS policy also applies to all subdomains of the current domain. 

 
 Strict-Transport-Security: max-age=31536000; includeSubDomains 

 
 For example, the HTML response for  
 https://www.example.com 
  can include a request to a resource from  
 https://example.com 
 , to make sure that HSTS is set for all subdomains of  
 example.com 
 . 

 
 Read More 

 
 For more details about HSTS, check out the following resources: 

RFC 6797, HTTP Strict Transport Security (HSTS)
HTTP Strict Transport Security on Wikipedia
Browser support for HSTS

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
复制链接

分享到 QQ

分享到新浪微博

扫一扫

专栏目录