The reason why think of to enable HSTS, mostly recently a lot of friends that the site not open, although Ping value of all normal, but is unable to access the page. DNS resolution of this speculation may be part of a problem. Also own local DNS hijacking has come to "frenzied" reached a point where, without access Https Jingdong Taobao all been added to a variety of promotion.
After enabling HSTS naturally want to join HSTS Preload List, which is a mandatory list of sites accessed using Https major browsers follow, just add to this list, all accessible via a browser requests are forced to go Https, this can be largely put an end to the "first" hijack visit maximize safety Https access.
Note that adding HSTS Preload List need to be added in the form of root domain name if you enable www.abc.com such secondary domain name in the form of access, you need to stop 301 jumps, that is, to ensure that such root abc.com a domain name is used Https have access to. (PS: Before I have a website is the case, if we analyze changes in the specific circumstances at the time of application).
HSTS Https is to strengthen security at the server, if your site is not Https is enabled, you can try a free SSL certificate Let's Encrypt
First, the server is enabled HSTS
HSTS is an Internet engineering organization IETE is pursuing a new Web security protocol HTTP Strict Transport Security (HSTS). HSTS protocol using the site will ensure that the browser always connects to HTTPS encrypted version of the site does not require the user to manually enter the encryption address in the URL address bar.
1.1 Apache2 configuration HSTS
Edit your apache configuration files (such as /etc/apache2/sites-enabled/website.conf and /etc/apache2/httpd.conf), and downstream to be your HTTPS VirtualHost:
1 # to be loaded mod_header the Apache library, generally located in the httpd.conf file, and search mod_headers uncommented. (Loaded skippable) 2 the LoadModule headers_module modules / mod_headers.so # VirtualHost then inserted inside a corresponding site HSTS response headers . 3 . 4 Header Always SET Strict-Transport-Security " max-Age = 63.072 million; includeSubdomains; PRELOAD "
Save Apache configuration file, then restart. Now that your web site will be sent each time you access the request headers, failure time is two years (in seconds), the expiration time is set every time after two years.
1.2 Nginx configuration HSTS
Nginx server configuration in the most simple, you only need to edit Nginx configuration files (such as: /usr/local/nginx/conf/nginx.conf) Add the following line to block your HTTPS server configuration can be in:
1 add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
If you find an invalid added directly in the server block case, you can try * inserted directly into the inner location ~ php:
1 location ~ [^/]\.php(/|$) { 2 add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; 3 }
After the restart Nginx configuration saving service.
1.3 Configuration HSTS in the Lighttpd
The following configuration will increase your Lighttpd configuration file (for example: /etc/lighttpd/lighttpd.conf):
1 server.modules += ( "mod_setenv" ) 2 $HTTP["scheme"] == "https" { 3 setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=63072000; includeSubdomains; preload") 4 }
Remember to restart it after saving the edit.
1.4 PHP common configuration method HSTS
Add the following code to the site root index.php or header.php in
1 header("Strict-Transport-Security: max-age=63072000; includeSubdomains; preload");
After opening the HSTS, you deploy SSL / TLS service detection score might be more than the A +. ssllabs official website and presentation is as follows:
- Official website: https: //www.ssllabs.com/
- Chinese version: https: //myssl.com
- Demos: https: //www.ssllabs.com/ssltest/analyze.html d = wzfou.com?
Second, adding HSTS Preload List
HSTS preload list is the Chrome browser HSTS preloaded list of sites in the list, when accessed using Chrome browser will be automatically converted to HTTPS. Firefox, Safari, Edge browser also uses this list.
- https://hstspreload.org/
- https://wzfou.com/cloudflare/
2.1 Test HSTS is in effect
View network directly open Chrome, you can see the head of the information already included HSTS.
Http Https good jump 2.2
After wzfou.com as well as any second-level domain must do Http Jump to Https, enabled HSTS request address header header Locationdisplays 307, which requires the content to continue to address POST Location browser.
2.3 added HSTS Preload List
Enter hstspreload official website, enter your domain name, then detection results will tell whether the added HSTS Preload List, there is no problem, then check OK. (Click to enlarge)
Time HSTS Preload List audits have long or short, once you submit can only wait.
Three, HSTS Preload List problem
3.1 Are successfully joined HSTS Preload List
Directly to the following address search if your domain name can have:
- https://cs.chromium.org/chromium/src/net/http/transport_security_state_static.json
Of course, after adding to the HSTS Preload List, you may also need to wait for January to February, until the new version of Chrome and Chromium, Firefox, IE and other publishing, your domain name be officially recognize the major browsers and enforces access Https , you can enter the Chrome browser's address box: View "chrome // net-internals / # hsts".
3.2 How to withdraw HSTS Preload List
- https://hstspreload.org/removal/
The official also provides an application to delete HSTS Preload List, but note that the revocation HSTS Preload List and join HSTS Preload List as time spent may take several months or more, the application HSTS before Preload List must be cautious.
IV Summary
Since HSTS Preload List is a list of sites built on a Https major browsers, so can join a successful addition to the audit by outside, we will have to see the browser version of the update. Once added HSTS Preload List of want to quit more trouble, so be sure to consider the good before joining.
So what sites are appropriate to join HSTS Preload List? Personal blog or Web site can play a game, for security requirements are relatively high electrical's website, and other members of management background can use HSTS Preload List, for some there is a need or not to join Http well.