How to implement HTTP Strict Transport Security (HSTS) on AWS Elastic Load Balancer?

前端 未结 4 1354
臣服心动
臣服心动 2021-02-20 17:04

I would like to implement HSTS to my application.

I have an ELB terminating SSL and forwarding the traffic to my application, which is an apache server used as reverse p

4条回答
  •  被撕碎了的回忆
    2021-02-20 17:52

    If you're working with Apache 2.4+, you may be familiar with expressions and the directives , , and .

    I have a complex configuration between dev, staging, and production environments, so relying on the [L] flag with the RewriteRule just wouldn't cut it for me.

    This brought me to the following solution, which I placed in my .htaccess:

    
        
            Header set Strict-Transport-Security "max-age=31536000"
        
    
    

    It works better in my environment and I feel that it is more reliable for meeting the RFC.

    You could drop the "%{REQUEST_SCHEME} == 'https' part if you never hit your instances directly, but that's part of my debug process in my dev environments.

    Much thanks to Pedreiro for pointing me in the right direction for the actual specifications on the HSTS RFC.

提交回复
热议问题