The small station passed the review of HSTS Preload List a few days ago. At present, the query shows that it is "pre installed". It is estimated that it will be used on stable in a while.


You can find the following in the Chromium source code: https://cs.chromium.org/chromium/src/net/http/transport_security_state_static.json?q=himiku.com&g=0&maxsize=14169872&l=63221

Now let me tell you why I want to join HSTS Preload List.

Cover: The Teabag Catalogue2#pixiv

HSTS

Definition of HSTS

First is the definition of HSTS.
HTTP Strict Transport Security (HSTS) is an Internet security policy mechanism issued by the Internet Engineering Task Force. The website can choose to use the HSTS policy to force the browser to use HTTPS to communicate with the website, so as to reduce the risk of session hijacking. one

Role of HSTS

The role of HSTS is to force clients (such as browsers) to use HTTPS to create a connection with the server. two

That is to say, we can use this function to tell the browser to use HTTPS to access this domain name in the future. That is, if it is a visit http Will be accessed directly through the browser https Instead of relying on the server to do 301 jumps.

Shortcomings of HSTS

Users visiting a website for the first time are not protected by HSTS. This is because the browser has not received the HSTS when accessing for the first time, so it is still possible to access through clear text HTTP.

Therefore Browser preset HSTS domain name list To solve this problem.

HSTS Preload List

What is "HSTS Preload List"

The HSTS preload list is a list of domain names that have been selected to join HSTS, and these domain names are forced to be accessible only through HTTPS. Once ready, webmasters can submit their domain names to hstspreload.org , which will cause their domain name to be Hard coding Is HTTPS only. Since all mainstream modern browsers (Chrome, Firefox, Opera, Safari, IE 11 and Edge) have preloaded lists based on Chrome lists, the domain can be protected from man in the middle attacks. three

Join HSTS Preload List

To join the HSTS Preload List, there are the following requirements four

  1. Provide effective SSL Certificate
  2. If you are listening to port 80, you need to listen from the HTTP Redirect to HTTPS
  3. All subdomains need to pass HTTPS transmission

  4. Provide HSTS response headers for HTTPS requests on the basic domain:

    • The max age must be at least 31536000 seconds (1 year).
    • You must declare includeSubDomains.
    • Preload must be declared.
    • If you provide other redirects from the HTTPS site, the redirect must still have an HSTS response header (not the page it redirects to).

General steps for applying for HSTS

For example, here I use Expiring soon Domain name of mikusa.xyz

I use LNMP, so first mikusa.xyz.conf Add a paragraph in:

 add_header Strict-Transport-Security "max-age=94608000; includeSubDomains; preload" always;

Restart Nginx.
Then, go to the HSTS preload list to submit the application. Portal: https://hstspreload.org/


Confirm that there is no error and press OK quickly

Check "I am the owner of mikusa. xyz..." and "I understand the consequences of doing this..." and submit it quickly

So when my domain name expires, the person who bought the domain name will have to use https and check for a long time to find out the reason for HSTS hahaha

  1. Wikipedia: HTTP strict transmission security
  2. Wikipedia "HTTP strict transmission security": https://zh.wikipedia.org/wiki/HTTP%E4%B8%A5%E6%A0%BC%E4%BC%A0%E8%BE%93%E5%AE%89%E5%85%A8
  3. Google Open Source's explanation of HSTS Preload List: https://opensource.google.com/projects/hstspreload
  4. From Google Translate

Author: mikusa

Link to this article: https://www.himiku.com/archives/join-hsts-preload-list.html

Copyright notice: Unless otherwise stated, all articles are my own creation. Please contact the author for reprinting and quotation, and indicate the source (author, original link, etc.).