我创建了一个网站,试图通过httpd.conf添加HSTS安全标头
<IfModule mod_headers.c>
Header always set Strict-Transport-Security 'max-age=4000; includeSubDomains'
</IfModule>
添加上面的代码,能够看到在我的HTTPS响应标头上添加的Strict-Transport-Security标头
host> curl -v https://172.21.218.67 --insecure
* About to connect() to 172.21.218.67 port 443 (#0)
* Trying 172.21.218.67... connected
* Connected to 172.21.218.67 (172.21.218.67) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* subject: ****************************************
* start date: Oct 21 06:42:49 2019 GMT
* expire date: Nov 20 06:42:49 2019 GMT
* common name: Insights
* issuer: *****************************************
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: 172.21.218.67
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Mon, 21 Oct 2019 10:50:54 GMT
< Server: Apache
< Strict-Transport-Security: max-age=4000; includeSubDomains
< Last-Modified: Mon, 21 Oct 2019 08:58:58 GMT
< ETag: "8f3-59567e4f07362"
< Accept-Ranges: bytes
< Content-Length: 2291
< Content-Type: text/html
但是这确实会导致浏览器对我的网站产生影响。 (如果用户尝试通过HTTP访问我的网站,则浏览器不会重定向到HTTPS。)>
我什至在chrome的HSTS清单中都看不到我的网站列表
chrome://net-internals/#hsts我是否需要添加任何其他配置才能使其正常工作?
我创建了一个网站,试图通过httpd.conf添加HSTS安全标头
根据IMSoP的建议,我的测试服务器不受该服务器的信任,从而影响了HSTS功能。