发表新帖
发表新帖

How can I force users to access my page over HTTPS instead of HTTP?

前端 未结
关注
21 868
礼貌的吻别
礼貌的吻别 2020-11-28 01:15

I\'ve got just one page that I want to force to be accessed as an HTTPS page (PHP on Apache). How do I do this without making the whole directory require HTTPS? Or, if you s

相关标签:
21条回答
  • 感动是毒
    2020-11-28 01:59

    use htaccess:

    #if domain has www. and not https://
  RewriteCond %{HTTPS} =off [NC]
  RewriteCond %{HTTP_HOST} ^(?i:www+\.+[^.]+\.+[^.]+)$
  RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [QSA,L,R=307]

#if domain has not www.
  RewriteCond %{HTTP_HOST} ^([^.]+\.+[^.]+)$
  RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [QSA,L,R=307]
    0 讨论(0)
  • 悲哀的现实
    2020-11-28 01:59

    You shouldn't for security reasons. Especially if cookies are in play here. It leaves you wide open to cookie-based replay attacks.

    Either way, you should use Apache control rules to tune it.

    Then you can test for HTTPS being enabled and redirect as-needed where needed.

    You should redirect to the pay page only using a FORM POST (no get), and accesses to the page without a POST should be directed back to the other pages. (This will catch the people just hot-jumping.)

    http://joseph.randomnetworks.com/archives/2004/07/22/redirect-to-ssl-using-apaches-htaccess/

    Is a good place to start, apologies for not providing more. But you really should shove everything through SSL.

    It's over-protective, but at least you have less worries.

    0 讨论(0)
  • 长发绾君心
    2020-11-28 02:01

    You should force the client to request HTTPS always with HTTP Strict Transport Security (HSTS) headers:

    // Use HTTP Strict Transport Security to force client to use secure connections only
$use_sts = true;

// iis sets HTTPS to 'off' for non-SSL requests
if ($use_sts && isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') {
    header('Strict-Transport-Security: max-age=31536000');
} elseif ($use_sts) {
    header('Location: https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'], true, 301);
    // we are in cleartext at the moment, prevent further execution and output
    die();
}

    Please note that HSTS is supported in most modern browsers, but not universal. Thus the logic above manually redirects the user regardless of support if they end up on HTTP, and then sets the HSTS header so that further client requests should be redirected by the browser if possible.

    0 讨论(0)
 看不清?
提交回复
热议问题