检查 HSTS 预加载资格时出错
Errors when checking eligibility for HSTS preload
我设置了这个网站:
http://website1.com/ - returns 301 Moved Permanently and redirects to http://www.website1.com/.
http://www.website1.com/ - returns 301 Moved Permanently and redirects to https://www.website2.com/.
https://www.website2.com/ - returns 200 OK 并且在响应中有这个:
strict-transport-security: max-age=31536000; includeSubDomains
我有这个子域 运行 一个网络应用程序:
https://subdomain.website1.com/
这在响应中也有以下 header:
Strict-Transport-Security: max-age=31536000; includeSubDomains
我想为 website1.com/ 的所有子域提供预加载功能。
但是,我在检查 eligibility 时收到以下错误:
Error: No HSTS header
Response error: No HSTS header is present on the response.
Error: HTTP redirects to www first
http://website1.com (HTTP) should immediately redirect to https://website1.com (HTTPS) before adding the www subdomain.
Right now, the first redirect is to http://www.website1.com/.
The extra redirect is required to ensure that any browser which supports HSTS will record the HSTS entry for the top level domain, not just the subdomain.
第一个错误很容易,我可以添加 HSTS header。
但是为什么重定向很重要?
我想要的只是 http://subdomain.website1.com/ 进行内部重定向到 https://subdomain.website1.com/,以及 http://website1.com/ 内部重定向到 https://website1.com/.
不能http://website1.com make an internal redirect to https://website1.com, regardless of the fact that it redirects to www.website1.com/吗?
I have this website set up: http://website1.com/ - returns 301 Moved Permanently and redirects to http://www.website1.com/.
这是你的问题。 http://website1.com should redirect to https://website1.com then on to https://www.website1.com.
这样,顶级 website1.com 域将采用 HSTS header 并保护自身和所有子域(假设它具有 includeSubDomains 属性集 - 这是一个 pre-requisite 用于预加载)。
无需先切换到 HTTPS,或者直接跳至 https://www.website1.com then the browser will never see the HSTS header on the top level domain and so know that it (and all sub domains) should be protected by HSTS. This is 1) less secure and 2) more risky when preloading as maybe you still have a non-HTTPS site (e.g. http://blog.website1.com or http://intranet.website1.com)。通过强制您在预加载之前进行设置,将有望在仍然可以反转 HSTS 时解决这些问题(这在预加载到浏览器的源代码中之后基本上是不可能的 - 至少在很多个月内都是如此)。
意外锁定带有预加载的 non-HTTPS 子域的风险是 I’ve argued in the past that preload is potentially more risky than useful 的一个原因,并且对大多数网站来说都是矫枉过正。但随着 HTTPS 成为常态,我现在不那么反对了。仍然认为它有点矫枉过正,除了高目标网站。
顺便说一句,对于第一个错误,请确保 HSTS header 包含在 301 重定向中。例如,对于 Apache,您需要 always set 而不仅仅是 set,如此处所述:https://whosebug.com/a/48103216/2144578
我设置了这个网站:
http://website1.com/ - returns 301 Moved Permanently and redirects to http://www.website1.com/.
http://www.website1.com/ - returns 301 Moved Permanently and redirects to https://www.website2.com/.
https://www.website2.com/ - returns 200 OK 并且在响应中有这个:
strict-transport-security: max-age=31536000; includeSubDomains
我有这个子域 运行 一个网络应用程序: https://subdomain.website1.com/ 这在响应中也有以下 header:
Strict-Transport-Security: max-age=31536000; includeSubDomains
我想为 website1.com/ 的所有子域提供预加载功能。 但是,我在检查 eligibility 时收到以下错误:
Error: No HSTS header
Response error: No HSTS header is present on the response.
Error: HTTP redirects to www first
http://website1.com (HTTP) should immediately redirect to https://website1.com (HTTPS) before adding the www subdomain.
Right now, the first redirect is to http://www.website1.com/.
The extra redirect is required to ensure that any browser which supports HSTS will record the HSTS entry for the top level domain, not just the subdomain.
第一个错误很容易,我可以添加 HSTS header。
但是为什么重定向很重要?
我想要的只是 http://subdomain.website1.com/ 进行内部重定向到 https://subdomain.website1.com/,以及 http://website1.com/ 内部重定向到 https://website1.com/.
不能http://website1.com make an internal redirect to https://website1.com, regardless of the fact that it redirects to www.website1.com/吗?
I have this website set up: http://website1.com/ - returns 301 Moved Permanently and redirects to http://www.website1.com/.
这是你的问题。 http://website1.com should redirect to https://website1.com then on to https://www.website1.com.
这样,顶级 website1.com 域将采用 HSTS header 并保护自身和所有子域(假设它具有 includeSubDomains 属性集 - 这是一个 pre-requisite 用于预加载)。
无需先切换到 HTTPS,或者直接跳至 https://www.website1.com then the browser will never see the HSTS header on the top level domain and so know that it (and all sub domains) should be protected by HSTS. This is 1) less secure and 2) more risky when preloading as maybe you still have a non-HTTPS site (e.g. http://blog.website1.com or http://intranet.website1.com)。通过强制您在预加载之前进行设置,将有望在仍然可以反转 HSTS 时解决这些问题(这在预加载到浏览器的源代码中之后基本上是不可能的 - 至少在很多个月内都是如此)。
意外锁定带有预加载的 non-HTTPS 子域的风险是 I’ve argued in the past that preload is potentially more risky than useful 的一个原因,并且对大多数网站来说都是矫枉过正。但随着 HTTPS 成为常态,我现在不那么反对了。仍然认为它有点矫枉过正,除了高目标网站。
顺便说一句,对于第一个错误,请确保 HSTS header 包含在 301 重定向中。例如,对于 Apache,您需要 always set 而不仅仅是 set,如此处所述:https://whosebug.com/a/48103216/2144578