采用HSTS协议的网站将保证浏览器始终连接到该网站的HTTPS加密版本,不需要用户手动在URL地址栏中输入加密地址。该协议将帮助网站采用全局加密,用户看到的就是该网站的安全版本。HSTS的作用是强制客户端(如浏览器)使用HTTPS与服务器创建连接。
Websites using HSTs protocol will ensure that the browser is always connected to the HTTPS encrypted version of the website, and users do not need to manually enter the encrypted address in the URL address bar. The protocol will help the website adopt global encryption, and what users see is the secure version of the website. The role of HSTs is to force clients (such as browsers) to create a connection with the server using HTTPS.
服务器开启HSTS的方法是,当客户端通过HTTPS发出请求时,在服务器返回的超文本传输协议响应头中包含Strict-Transport-Security字段。非加密传输时设置的HSTS字段无效。
The server enables HSTs by including the strict transport security field in the hypertext transport protocol response header returned by the server when the client sends a request through HTTPS. Invalid HSTs field set for non encrypted transmission.
但有一点需要注意,Strict-Transport-Security中的max-age的时间不能小于15552000。
However, it should be noted that the time of Max age in strict transport security cannot be less than 15552000.
对于Windows server服务器,打开网站目录下的 web.config 这个文件,在相应的位置添加上针对 https 响应的 url 重写规则(黑体部分),并保存。
For a Windows server server, open the web.com under the web site directory Config file, Add URL rewriting rules for HTTPS response (in BOLD) at the corresponding location, and save it.
开启了HSTS后,你部署SSL/TLS的服务检测得分就可能是A+以上了。这时候就可以加入HSTS Preload List。
After HSTs is enabled, your service detection score for deploying SSL / TLS may be above a +. At this time, you can add HSTs preload list.
HSTS preload list是Chrome浏览器中的HSTS预载入列表,在该列表中的网站,使用Chrome浏览器访问时,会自动转换成HTTPS。Firefox、Safari、Edge浏览器也在采用这个列表。
HSTs preload list is the HSTs preload list in Chrome browser. Websites in this list will be automatically converted to HTTPS when accessed with Chrome browser. Firefox, Safari and edge browsers are also using this list.
进入hstspreload官网,输入你的域名,然后检测结果会告诉是否符合加入HSTS Preload List,没有问题的话勾选确定。
Enter the hstspreload official website, enter your domain name, and then the test results will tell whether it is qualified to join the HSTs preload list. If there is no problem, check OK.
当然,加入到了HSTS Preload List后,你可能还需要等待1-2月,待新版本的Chrome和Chromium、Firefox、IE等发布后,你的域名算是正式被各大浏览器承认并强制使用Https访问了。
Of course, after joining the HSTs preload list, you may have to wait from January to February. After the release of the new version of chrome, chromium, Firefox and ie, your domain name is officially recognized by major browsers and accessed by HTTPS.