This article was last revised 1105 days ago, and some of the information may be outdated.If you need to update urgently, please leave a message in the comment area below.
The small station passed the review of HSTS Preload List a few days ago. At present, the query shows that it is "pre installed". It is estimated that it will be used on stable in a while.
First is the definition of HSTS. HTTP Strict Transport Security (HSTS) is an Internet security policy mechanism issued by the Internet Engineering Task Force.The website can choose to use the HSTS policy to force the browser to use HTTPS to communicate with the website, so as to reduce the risk of session hijacking.one。
Role of HSTS
The role of HSTS is to force clients (such as browsers) to use HTTPS to create a connection with the server.two。
That is to say, we can use this function to tell the browser to use HTTPS to access this domain name in the future.That is, if it is a visithttpWill be accessed directly through the browserhttpsInstead of relying on the server to do 301 jumps.
Shortcomings of HSTS
Users visiting a website for the first time are not protected by HSTS.This is because the browser has not received the HSTS when accessing for the first time, so it is still possible to access through clear text HTTP.
ThereforeBrowser preset HSTS domain name listTo solve this problem.
HSTS Preload List
What is "HSTS Preload List"
The HSTS preload list is a list of domain names that have been selected to join HSTS, and these domain names are forced to be accessible only through HTTPS.Once ready, webmasters can submit their domain names tohstspreload.org, which will cause their domain name to beHard codingIs HTTPS only.Since all mainstream modern browsers (Chrome, Firefox, Opera, Safari, IE 11 and Edge) have preloaded lists based on Chrome lists, the domain can be protected from man in the middle attacks.three
Join HSTS Preload List
To join the HSTS Preload List, there are the following requirementsfour
Provide effectiveSSL Certificate。
If you are listening to port 80, you need to listen from theHTTPRedirect toHTTPS。
All subdomains need to passHTTPStransmission
Provide HSTS response headers for HTTPS requests on the basic domain:
The max age must be at least 31536000 seconds (1 year).
You must declare includeSubDomains.
Preload must be declared.
If you provide other redirects from the HTTPS site, the redirect must still have an HSTS response header (not the page it redirects to).
General steps for applying for HSTS
For example, here I useExpiring soonDomain name ofmikusa.xyz
I use LNMP, so firstmikusa.xyz.confAdd a paragraph in:
Restart Nginx. Then, go to the HSTS preload list to submit the application.Portal:https://hstspreload.org/
Confirm that there is no error and press OK quickly
Check "I am the owner of mikusa. xyz..." and "I understand the consequences of doing this..." and submit it quickly
So when my domain name expires, the person who bought the domain name will have to use https and check for a long time to find out the reason for HSTS hahaha
Copyright notice:Unless otherwise stated, all articles are my own creation. Please contact the author for reprinting and quotation, and indicate the source (author, original link, etc.).
• Please fill in the real email when commenting so that you can receive the reply reminder. • Initial comments need to be reviewed, and comments irrelevant to the article should be posted on the message page.