Recommended way to to redirect HTTP requests to HTTPS

后端 未结 2 1788
既然无缘
既然无缘 2021-01-14 01:21

I\'ve some doubt on how to do redirect all my http pages to https.

I\'ve saw that are someone that tell to do a rewrite like in this reply:

And Apache says t

2条回答
  •  失恋的感觉
    2021-01-14 02:03

    The only secure way to redirect http to https is to use HSTS (Header Strict-Transport-Security) with the preload option.

    The apache redirect is insecure because an attacker can intercept it and rewrite it. Unfortunately, for older browser and browser how didn't preload HSTS, it's your only option:

    
          ServerName www.example.com
          Redirect "/" "https://www.example.com/"
    
    

    Apache redirect

    In the https response:

    
          # Use HTTP Strict Transport Security to force client to use secure connections only
          # Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
          Header always set Strict-Transport-Security "max-age=31536000"
    
          # Further Configuration goes here
          [...]
    
    

    HSTS

    Or, using .htaccess:

    # Redirect if http
    RewriteCond %{HTTPS} off
    RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    # set header if https
    # Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
    Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
    

    The Header Strict-Transport-Security (HSTS) has 2 effects:

    • For the visitor, it tells the browsers to only use https on that domain and all sub-domains for one year (all http request will be rewrite as https request without network interaction)
    • For browsers vendors, the 'preload' keyword allow them to preload the website in their source code. With that, you avoid the first insecure request: the browser already know that website commit to https. Note that HSTS+preload can't be rolled back, it's a definitive commit to security (but it's the strength of it: an attacker can't remove it too)

    The HSTS in comment is the most secure one but can't be rolled back:

    • Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

    The HSTS not in comment is less secure because the first connection can still be insecure, and do not protect subdomains:

    • Strict-Transport-Security "max-age=31536000"

    HSTS is the only reliable protection against SSLTrip

    SEO implications: If the website already redirect all http webpage to https then that header has no negative (and no positive) affect.

提交回复
热议问题