20.3 HTTP Strict Transport Security

Problem

You need to instruct browsers to never send requests over HTTP.

问题

需要告知浏览器不要使用 HTTP 发送请求

Solution

Use the HTTP Strict Transport Security (HSTS) enhancement by

setting the Strict-Transport-Security header:

add_header Strict-Transport-Security max-age=31536000;

This configuration sets the Strict-Transport-Security header to a

max age of a year. This will instruct the browser to always do an

internal redirect when HTTP requests are attempted to this domain,

so that all requests will be made over HTTPS.

解决方案

通过设置 Strict-Transport-Security 响应头不信息,启用 HTTP Strict

Transport Security 策略,告知浏览器不支持 HTTP 请求:

add_header Strict-Transport-Security max-age=31536000;

这里,我们将 Strict-Transport-Security 消息头有效期设置为 1 年,其

作用是,当用户发起一个 HTTP 请求时,浏览器在内部做一个重定向,将所有

请求直接通过 HTTPS 协议访问。

Discussion

For some applications a single HTTP request trapped by a man in

the middle attack could be the end of the company. If a form post

containing sensitive information is sent over HTTP, the HTTPS

redirect from NGINX won’t save you; the damage is done. This optin security enhancement informs the browser to never make an

HTTP request, therefore the request is never sent unencrypted.

结论

这是因为即使我们在服务器内部启用了 HTTPS 重定向功能,但浏览器端依然是 HTTP

请求,这可能会被中间人攻击,导致用户敏感数据泄露。这时候 HTTPS 重定向功能无

法保证数据的安全性。当使用 Strict-Transport-Security 头时,浏览器将不会发送

未被加密的 HTTP 请求,取而代之的是 HTTPS 请求,有效杜绝不安全的请求访问。

Also See

RFC-6797 HTTP Strict Transport Security

OWASP HSTS Cheat Sheet

[MDN HTTP Strict Transport Security](https://developer.mozilla.org/zh-CN/docs/Security/HTTP_Strict_Transport_Security\

results matching ""

    No results matching ""