What is HSTS
HSTS (HTTP Strict Transport Security) is a new Web security protocol that is being promoted by the Internet Engineering Task Force (IETE) to force clients (such as browsers) to use HTTPS to establish connections with servers.
The main purpose is to solve the problem that the first request to the HTTPS website uses the unencrypted HTTP protocol, that is, users generally visit our website by directly entering the domain name in the browser, such as morong.me, and then our server detects that it is an HTTP request and jumps to the HTTPS page with a 301. Then the first half uses the unencrypted HTTP request, which also has the possibility of being hijacked, so the security of HTTPS is greatly reduced!
Enable HSTS
It is very simple to enable HSTS. Just add HSTS to the response header of our website. Here is a brief introduction
1. Nginx server
Find the nginx.conf configuration file and add the following code to the server configuration code of the website:
server {
listen xx.xx.xx.xx:443 ssl spdy;
server_name www.gworg.com;
add_header Strict-Transport-Security “max-age=31536000; includeSubdomains”; #Add this line of code
…
}
2. Apache Server
LoadModule headers_module modules/mod_headers.so
Header always set Strict-Transport-Security “max-age=63072000; includeSubdomains; preload”
3. Lighttpd
server.modules += ( “mod_setenv” )
$HTTP[“scheme”] == “https” {
setenv.add-response-header = ( “Strict-Transport-Security” => “max-age=63072000; includeSubdomains; preload”)
}
4. General Methods
If you use a virtual host or don’t know how to use web software, you can use a simpler general method. The principle is very simple. Just add a response header through code. Here I will only share the PHP method. Other languages can refer to it:
Insert the following code into index.php in the root directory of the website:
header(“Strict-Transport-Security: max-age=63072000; includeSubdomains; preload”);
Conclusion: HSTS has its pros and cons. If you want to access a website with HTTP later, it will take some time to restore. In addition, not all browsers currently support HSTS, so users who want to use this method to force a jump to https can consider it comprehensively.
