Spring boot: Do not send HSTS header

末鹿安然 提交于 2019-12-12 09:17:24

问题


In a dev environment I have the problem that my browser (Yandex) redirects (307) an OPTIONS request to the https version of the URL. As we don't have SSL set up the request then fails with the error Response for preflight is invalid (redirect).


回答1:


I resolved this issue by configuring the the HSTS header as follows:

@Configuration
@EnableWebSecurity
public class SecurityConfigurer extends WebSecurityConfigurerAdapter {
    ...
    @Override
    protected void configure(HttpSecurity http) throws Exception {
    ...
          http.headers().httpStrictTransportSecurity()
              .maxAgeInSeconds(0)
              .includeSubDomains(true);
    }
}

Disabling HSTS did not work for me.




回答2:


If you don’t have HTTPS set up then the HSTS value should never be read - browsers must ignore HSTS sent over an unencrypted HTTP connection.

If you once did have HTTPS but now no longer do (or if you have HTTPS on some of your domains/pages), then your browser may have cached the HSTS setting for whatever max-age value was set when the browser last read the header. You would need to clear this in your browser. How to do this varies from browser to browser, but one of the easier ways that works in all browsers is to publish a new HSTS header with a max-age of 0 like you have done and then visit a page over HTTPS (not over unencrypted HTTP). This obviously requires you to have a HTTPS setup which you say you do not have? After all your browsers all have got the new setting for all affected domains, you can then stop publishing that HSTS header completely.

Skipping the reset step and just turning off the header when the browser has a previous version cached will not work - at least until the browser’s cached version expires after the max-age time.



来源:https://stackoverflow.com/questions/49201779/spring-boot-do-not-send-hsts-header

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!