Recommended way to to redirect HTTP requests to HT

2019-02-19 02:27发布

站内问答 / 前端开发
1365 2 4

I've some doubt on how to do redirect all my http pages to https.

I've saw that are someone that tell to do a rewrite like in this reply:

And Apache says to do in this way

Anyone can explain me what is the recommended way to make this change

2条回答
神经病院院长
2楼-- · 2019-02-19 03:12

The only secure way to redirect http to https is to use HSTS (Header Strict-Transport-Security) with the preload option.

The apache redirect is insecure because an attacker can intercept it and rewrite it. Unfortunately, for older browser and browser how didn't preload HSTS, it's your only option:

<VirtualHost *:80>
      ServerName www.example.com
      Redirect "/" "https://www.example.com/"
</VirtualHost>

Apache redirect

In the https response:

<VirtualHost *:443>
      # Use HTTP Strict Transport Security to force client to use secure connections only
      # Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
      Header always set Strict-Transport-Security "max-age=31536000"

      # Further Configuration goes here
      [...]
</VirtualHost>

HSTS

Or, using .htaccess:

# Redirect if http
RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# set header if https
# Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS

The Header Strict-Transport-Security (HSTS) has 2 effects:

  • For the visitor, it tells the browsers to only use https on that domain and all sub-domains for one year (all http request will be rewrite as https request without network interaction)
  • For browsers vendors, the 'preload' keyword allow them to preload the website in their source code. With that, you avoid the first insecure request: the browser already know that website commit to https. Note that HSTS+preload can't be rolled back, it's a definitive commit to security (but it's the strength of it: an attacker can't remove it too)

The HSTS in comment is the most secure one but can't be rolled back:

  • Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

The HSTS not in comment is less secure because the first connection can still be insecure, and do not protect subdomains:

  • Strict-Transport-Security "max-age=31536000"

HSTS is the only reliable protection against SSLTrip

SEO implications: If the website already redirect all http webpage to https then that header has no negative (and no positive) affect.

查看更多
0人赞 添加讨论(0) 举报
虎瘦雄心在
3楼-- · 2019-02-19 03:12

Add just below or above Document Root in /etc/apache2/sites-available/yoursite.conf

Redirect permanent / https://your-site.com/

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)