How to disable HSTS header with HTTP?

杀马特。学长 韩版系。学妹 提交于 2019-12-23 12:24:33

问题


I have inserted the following in the .htaccess of my site in order to be admitted to the HSTS preload list:

<ifModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"   
</ifModule>

The problem is that when I submit my site, I obtain:

Warning: Unnecessary HSTS header over HTTP. The HTTP page at http: //fabriziorocca.it sends an HSTS header. This has no effect over HTTP, and should be removed.

At the moment I use the following in the .htaccess in order to switch from http to https:

RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

How can I solve the problem?

Thank you in advance.


回答1:


Try with:

<ifModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" "expr=%{HTTPS} == on"
</ifModule>

RewriteCond %{HTTP_HOST} !^www\.
RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]



回答2:


Below your redirect rules add the code:

Header always set Strict-Transport-Security "max-age=31536000; 
includeSubDomains; preload" env=HTTPS



回答3:


No... Error: HTTP redirects to www first http://domain.fr (HTTP) should immediately redirect to https://domain.fr (HTTPS) before adding the www subdomain. Right now, the first redirect is to https://www.domain.fr/. The extra redirect is required to ensure that any browser which supports HSTS will record the HSTS entry for the top level domain, not just the subdomain.



来源:https://stackoverflow.com/questions/38235475/how-to-disable-hsts-header-with-http

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!