Adding HSTS http headers on domain root during redirect to www subdomain in web.config

一个人想着一个人 提交于 2019-12-12 05:19:52

问题


I have an asp.net web application which is indexed by the search engines on the sub-domain "www". I don't really want to change that: requests to the root domain are all set up with a permanent redirect to the www version and that's all fine.

I've enabled HSTS on the site, but the HSTS outbound header rule which I've added is never hit on the first request to the root of the domain because of the redirect. (It works fine for subsequent https requests, because there's no redirect). This is a problem because I want to submit the site for HSTS preloading - and that requires that the redirect includes the HSTS response header....

I've tried setting the stopProcessing attribute on the rule to false (hoping that the outbound rule to set the HSTS header would then be run even on the redirect) to no avail.

Here are the relevant extracts from my config file:

<rewrite>
  <rules>
    <rule name="Canonical Host Name, HTTPS enabled" stopProcessing="false">
      <match url="(.*)" />
      <conditions logicalGrouping="MatchAll">
        <add input="{HTTP_HOST}" negate="true" pattern="www.mysite.co.uk" />
        <add input="{HTTP_HOST}" negate="true" pattern="^[a-z0-9]+\.cloudapp\.net$" />
        <add input="{HTTP_HOST}" negate="true" pattern="localhost" />
      </conditions>
      <action type="Redirect" url="https://www.mysite.co.uk/{R:1}" redirectType="Permanent" />
    </rule>

  </rules>

        <!-- hsts | http://www.hanselman.com/blog/HowToEnableHTTPStrictTransportSecurityHSTSInIIS7.aspx -->
     <outboundRules rewriteBeforeCache="true">
            <rule name="Add Strict-Transport-Security" enabled="true">
                <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
                <conditions logicalGrouping="MatchAll">
                    <add input="{HTTPS}" pattern="on" ignoreCase="true" />
                    <add input="{HTTP_HOST}" pattern="(mysite.co.uk|www.mysite.co.uk)" ignoreCase="true" />
                </conditions>
                <action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />
            </rule>  
    </outboundRules>

</rewrite>

回答1:


Had to add the header as follows:

<system.webServer>
    <httpProtocol>
      <customHeaders>
        <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains; preload" />
      </customHeaders>
    </httpProtocol>
</system.webServer>

This sends the header even when sending a redirect. I removed the outboundRules section.




回答2:


From this answer on Server Fault,

An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport.

Please, make sure you configure your server properly.



来源:https://stackoverflow.com/questions/35013967/adding-hsts-http-headers-on-domain-root-during-redirect-to-www-subdomain-in-web

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!