Shulou(Shulou.com)06/01 Report--

This article mainly introduces the relevant knowledge of "how to apply HSTS security policy". The editor shows you the operation process through an actual case. The operation method is simple, fast and practical. I hope this article "how to apply HSTS security policy" can help you solve the problem.

HSTS is an abbreviation for HTTP strict Transport Security (HTTP Strict Transport Security). This is a method used by websites to declare that they can only be accessed using secure connection (HTTPS). If a website declares a HSTS policy, the browser must reject all HTTP connections and prevent users from accepting insecure SSL certificates.

HSTS deployment

The server opens HSTS by including the Strict-Transport-Security field in the hypertext transfer protocol response header returned by the server when the client makes a request through HTTPS. The HSTS field set for unencrypted transmission is invalid.

The best deployment solution is to deploy in the location closest to the user, for example, the architecture has a front-end reverse proxy and a back-end Web server, and it is best to configure HSTS at the front-end agent, otherwise you need to configure HSTS in the Web server layer. If the Web server does not explicitly support HSTS, you can add a response header mechanism. If all other methods fail, you can add HSTS to the application layer.

It is easy to enable HSTS by adding the following information to the corresponding header:

Strict-Transport-Security: max-age=63072000; includeSubdomains;preload

Strict-Transport-Security is the name of the Header field, and max-age represents the effective time of the HSTS on the client. IncludeSubdomains means it is valid for all subdomains. Preload uses the browser's built-in list of domain names.

The HSTS policy can only be set in the HTTPS response, and the website must use the default port 443; the domain name must be used, not IP. Therefore, you need to redirect the HTTP to HTTPS, and if the HSTS header is allowed in the plaintext response, a man-in-the-middle attacker can perform a DoS attack by injecting HSTS information into a normal site.

To enable HSTS$ vim / etc/apache2/sites-available/hi-linux.conf# on Apache to enable HSTS, you need to enable the headers module LoadModule headers_module / usr/lib/apache2/modules/mod_headers.so ServerName www.hi-linux.com ServerAlias hi-linux.com...# to redirect all visitors to HTTPS to solve the problem of HSTS first access. RedirectPermanent / https://www.hi-linux.com/...# enables HTTP strict transport security Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload".

Restart the Apache service

Enable HSTS$ vim / etc/nginx/conf.d/hi-linux.confserver {listen 443 ssl; server_name www.hi-linux.com; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";...} server {listen 80; server_name www.hi-linux.com; return 301 https://www.hi-linux.com$request_uri;...} on $service apche2 restartNginx

Restart the Nginx service

$service nginx restartIIS enables HSTS

Third-party modules are required to enable HSTS on IIS.

After the setup is complete, you can use the curl command to verify that the setting is successful. If the result contains the field of Strict-Transport-Security, then the setting is successful.

Curl-I https://www.hi-linux.comHTTP/1.1 200 OKServer: nginxDate: Sat, 27 May 2017 03:52:19 GMTContent-Type: text/html; charset=utf-8...Strict-Transport-Security: max-age=63072000; includeSubDomains; preloadX-Frame-Options: denyX-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniff...

For HSTS and HSTS Preload List, it is recommended that you do not enable HTTPS services as long as you are not sure to provide them forever. Because once HSTS takes effect, previous regular users will be redirected to HTTPS before the max-age expires, resulting in incorrect access to the site. The only way is to change the domain name.

This is the end of the content on "how to apply HSTS security policies". Thank you for reading. If you want to know more about the industry, you can follow the industry information channel. The editor will update different knowledge points for you every day.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.