问题
I have an asp.net web application which is indexed by the search engines on the sub-domain "www". I don't really want to change that: requests to the root domain are all set up with a permanent redirect to the www version and that's all fine.
I've enabled HSTS on the site, but the HSTS outbound header rule which I've added is never hit on the first request to the root of the domain because of the redirect. (It works fine for subsequent https requests, because there's no redirect). This is a problem because I want to submit the site for HSTS preloading - and that requires that the redirect includes the HSTS response header....
I've tried setting the stopProcessing attribute on the rule to false (hoping that the outbound rule to set the HSTS header would then be run even on the redirect) to no avail.
Here are the relevant extracts from my config file:
<rewrite>
<rules>
<rule name="Canonical Host Name, HTTPS enabled" stopProcessing="false">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll">
<add input="{HTTP_HOST}" negate="true" pattern="www.mysite.co.uk" />
<add input="{HTTP_HOST}" negate="true" pattern="^[a-z0-9]+\.cloudapp\.net$" />
<add input="{HTTP_HOST}" negate="true" pattern="localhost" />
</conditions>
<action type="Redirect" url="https://www.mysite.co.uk/{R:1}" redirectType="Permanent" />
</rule>
</rules>
<!-- hsts | http://www.hanselman.com/blog/HowToEnableHTTPStrictTransportSecurityHSTSInIIS7.aspx -->
<outboundRules rewriteBeforeCache="true">
<rule name="Add Strict-Transport-Security" enabled="true">
<match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
<conditions logicalGrouping="MatchAll">
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
<add input="{HTTP_HOST}" pattern="(mysite.co.uk|www.mysite.co.uk)" ignoreCase="true" />
</conditions>
<action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />
</rule>
</outboundRules>
</rewrite>
回答1:
Had to add the header as follows:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains; preload" />
</customHeaders>
</httpProtocol>
</system.webServer>
This sends the header even when sending a redirect. I removed the outboundRules section.
回答2:
From this answer on Server Fault,
An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport.
Please, make sure you configure your server properly.
来源:https://stackoverflow.com/questions/35013967/adding-hsts-http-headers-on-domain-root-during-redirect-to-www-subdomain-in-web