发表新帖
发表新帖

Forcing HTTPS over HTTP

后端 未结
关注
4 865
广开言路
广开言路 2021-01-23 21:06

So I want to force the user to access the https version of my page rather than the http. And according to this post all I have to do is this:

RewriteEngine On 
R
相关标签:
4条回答
  • 春和景丽
    2021-01-23 21:34

    You can leave it in the root directory but change it to:

    RewriteRule ^(your-directory/.*)$ https://www.yourdomain.com/$1 [R,L]

    Keep in mind, though, that before the redirect happens, the cookies and query parameters with possibly sensitive data has already been sent in clear text, so remember to use the secure cookie atribute if you use cookies.

    0 讨论(0)
  • 后悔当初
    2021-01-23 21:34

    seems silly to "force ssl" till they fix the big gaping security hole it opens up in browsers in the name of "site verification" this has no real basis and there is potential for abuse by a rogue CA, rogue state, or corruption. (and the "verification" is useless anyway not being based on user wishes not anyone actually looking at the sites - there are plenty of phishing sites out there with "valid" certificates!)

    there is way too much misinformation being bandied around about SSL

    you get the same encryption with a self signed certificate but browsers tell users you site is "untrusted" (with of course no basis - "not checked" or "not verifiable" would be what any warning should actually say - warnings need to be informative not something that just scares users so much most of them just close them without even reading the rest of the warning!)

    until this is fixed in browsers I cannot recommend the use of SSL at all in a web site context.

    meanwhile all I can recommend to forget port 443 and implement your own encryption layer (or use something like ssh if it doesn't need to be a browser)

    0 讨论(0)
  • 故里飘歌
    2021-01-23 21:37

    This is a not-so-good method of going about this, especially if you have access to httpd.conf. The better method is to create TWO virtual hosts. One for your standard port 80 stuff, which simply has an unconditional redirect to the SSL version, e.g. in pseudo-ish .conf talk:

    <VirtualHost example.com:80>
   RedirectPermanent / https://example.com
   DocumentRoot /some/fake/path
</VirtualHost>

<VirtualHost example.com:443>
   normal site stuff here...
</VirtualHost>

    This has the advantage of leaving the redirect viable even if a config messup disables .htaccess files, plus serving up bogus/non-existent content if SSL dies for whatever reason.

    0 讨论(0)
  • 小鲜肉
    2021-01-23 21:44

    Your site can be vulnerable if you're redirecting from http to https. Take a look at this for some more information on that.

    http://www.thoughtcrime.org/software/sslstrip/

    0 讨论(0)
 看不清?
提交回复
热议问题