Introduction to HSTS
HSTS stands for HTTP Strict-Transport-Security, which is a web security policy mechanism.
HSTS was first included in the ThoughtWorks Technology Radar in 2015, and in the latest issue of the Technology Radar in 2016, it went directly from the "Trial" stage to the "Adopt" phase, which means that ThoughtWorks strongly advocates for the industry's active adoption of this security defense measure, and ThoughtWorks has applied it to its own projects.
The core of HSTS is an HTTP response header. It is it that lets the browser know that the current domain name is only accessible via HTTPS for the next period of time, and if the browser finds that the current connection is not secure, it will forcibly deny the user's subsequent access requests.
A website with an HSTS policy will ensure that the browser is always connected to the HTTPS encrypted version of the website, eliminating the need for users to manually enter the encrypted address in the URL address bar, reducing the risk of session hijacking.
HTTPS (SSL and TLS) ensures that users and websites communicate securely, making it difficult for attackers to intercept, modify, and impersonate. When a userManually enter a domain name or http:// link, of the websiteThe first request is unencrypted, using plain http. The most secure websites immediately send back a redirect directing the user to an https connection, however,A man-in-the-middle attacker may attack to intercept the initial HTTP request and thus control the user's subsequent reply。
HSTS principles
HSTS mainly controls browser operations by sending response headers from the server:
When a client makes a request over HTTPS, the server includes the Strict-Transport-Security field in the HTTP response header it returns.
After the browser receives such information,Any request to the site within a certain period of time is initiated in HTTPSwithout being redirected to HTTPS by the server initiated by HTTP.
HSTS response header format
Parameter description:
max-age (in seconds): Used to tell the browser that the website must be accessed via the HTTPS protocol within a specified period of time. That is, for the HTTP address of this website, the browser needs to replace it with HTTPS locally before sending the request.
includeSubDomains (optional): If this parameter is specified, it indicates that all subdomains of the site must also be accessed via the HTTPS protocol.
preload: A list of domain names that use HTTPS built into the browser.
HSTS Preload List
While HSTS is a good solution to HTTPS degradation attacks, for HSTSThe first HTTP request before it takes effect, stillIt cannot be avoidedhijacked。 To solve this problem, browser manufacturers have proposed the HSTS Preload List solution. (omitted)
IIS configuration
Before the configuration, visit the website as shown below:
To implement this in IIS7+, simply add the CustomHeader requirement for HSTS in web.config, which is configured as follows:
After the modification, revisit the website, as shown below:
Nginx configuration
If the website uses nginx reverse proxy, you can also configure nginx directly to implement it, as follows:
Chrome View Rules
To see the current HSTS rules, use Google Chrome chrome to typechrome://net-internals/#hstsEnter the car, as shown in the figure below:
reference
HTTP Strict Transport Security:The hyperlink login is visible.
(End)
|
Posted on 9/17/2022 8:55:30 PM
|
|
|
|
Posted on 9/19/2022 8:13:41 PM
|
