亚洲国产日韩欧美一区二区三区,精品亚洲国产成人av在线,国产99视频精品免视看7,99国产精品久久久久久久成人热,欧美日韩亚洲国产综合乱

目錄 搜尋
Guides Access control CORS Authentication Browser detection using the user agent Caching Caching FAQ Compression Conditional requests Connection management in HTTP 1.x Content negotiation Content negotiation: List of default Accept values Cookies CSP Messages Overview Protocol upgrade mechanism Proxy servers and tunneling Proxy servers and tunneling: Proxy Auto-Configuration (PAC) file Public Key Pinning Range requests Redirections Resources and specifications Resources and URIs Response codes Server-Side Access Control Session Guides: Basics Basics of HTTP Choosing between www and non-www URLs Data URIs Evolution of HTTP Identifying resources on the Web MIME Types MIME types: Complete list of MIME types CSP Content-Security-Policy Content-Security-Policy-Report-Only CSP: base-uri CSP: block-all-mixed-content CSP: child-src CSP: connect-src CSP: default-src CSP: font-src CSP: form-action CSP: frame-ancestors CSP: frame-src CSP: img-src CSP: manifest-src CSP: media-src CSP: object-src CSP: plugin-types CSP: referrer CSP: report-uri CSP: require-sri-for CSP: sandbox CSP: script-src CSP: style-src CSP: upgrade-insecure-requests CSP: worker-src Headers Accept Accept-Charset Accept-Encoding Accept-Language Accept-Ranges Access-Control-Allow-Credentials Access-Control-Allow-Headers Access-Control-Allow-Methods Access-Control-Allow-Origin Access-Control-Expose-Headers Access-Control-Max-Age Access-Control-Request-Headers Access-Control-Request-Method Age Allow Authorization Cache-Control Connection Content-Disposition Content-Encoding Content-Language Content-Length Content-Location Content-Range Content-Type Cookie Cookie2 Date DNT ETag Expect Expires Forwarded From Headers Host If-Match If-Modified-Since If-None-Match If-Range If-Unmodified-Since Keep-Alive Large-Allocation Last-Modified Location Origin Pragma Proxy-Authenticate Proxy-Authorization Public-Key-Pins Public-Key-Pins-Report-Only Range Referer Referrer-Policy Retry-After Server Set-Cookie Set-Cookie2 SourceMap Strict-Transport-Security TE Tk Trailer Transfer-Encoding Upgrade-Insecure-Requests User-Agent User-Agent: Firefox Vary Via Warning WWW-Authenticate X-Content-Type-Options X-DNS-Prefetch-Control X-Forwarded-For X-Forwarded-Host X-Forwarded-Proto X-Frame-Options X-XSS-Protection Methods CONNECT DELETE GET HEAD Methods OPTIONS PATCH POST PUT Status 100 Continue 101 Switching Protocols 200 OK 201 Created 202 Accepted 203 Non-Authoritative Information 204 No Content 205 Reset Content 206 Partial Content 300 Multiple Choices 301 Moved Permanently 302 Found 303 See Other 304 Not Modified 307 Temporary Redirect 308 Permanent Redirect 400 Bad Request 401 Unauthorized 403 Forbidden 404 Not Found 405 Method Not Allowed 406 Not Acceptable 407 Proxy Authentication Required 408 Request Timeout 409 Conflict 410 Gone 411 Length Required 412 Precondition Failed 413 Payload Too Large 414 URI Too Long 415 Unsupported Media Type 416 Range Not Satisfiable 417 Expectation Failed 426 Upgrade Required 428 Precondition Required 429 Too Many Requests 431 Request Header Fields Too Large 451 Unavailable For Legal Reasons 500 Internal Server Error 501 Not Implemented 502 Bad Gateway 503 Service Unavailable 504 Gateway Timeout 505 HTTP Version Not Supported 511 Network Authentication Required Status
文字

Strict-Transport-Security響應(yīng)報(bào)頭(通??s寫為 HSTS)是一種安全功能,可以讓一個(gè)網(wǎng)站告訴大家,它應(yīng)該只使用 HTTPS,而不是使用 HTTP 進(jìn)行通信的瀏覽器。

Header type

Response header

Forbidden header name

no

句法

Strict-Transport-Security: max-age=<expire-time>Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Strict-Transport-Security: max-age=<expire-time>; preload

指令

max-age=<expire-time>以秒為單位,瀏覽器應(yīng)該記住,該站點(diǎn)只能通過 HTTPS 訪問。includeSubDomains可選如果指定了此可選參數(shù),則此規(guī)則也適用于所有網(wǎng)站的子域。preload可選參見預(yù)裝嚴(yán)格的運(yùn)輸安全細(xì)節(jié)。不是規(guī)范的一部分。

描述

如果網(wǎng)站通過 HTTP 接受連接并重定向到 HTTPS,則在此情況下,用戶最初可能會(huì)在重定向之前與網(wǎng)站的非加密版本進(jìn)行通話,例如,如果用戶鍵入 http://www.foo .com / 甚至只是 foo.com。

這就為中間人攻擊提供了可能性,在這種攻擊中,可以利用重定向?qū)⒂脩粢龑?dǎo)至惡意站點(diǎn),而不是原始頁面的安全版本。

HTTP Strict Transport Security 頭允許網(wǎng)站通知瀏覽器它不應(yīng)該使用HTTP加載站點(diǎn),而應(yīng)該自動(dòng)將所有嘗試使用 HTTP 訪問站點(diǎn)的嘗試轉(zhuǎn)換為 HTTPS 請求。

注:Strict-Transport-Security忽略瀏覽器時(shí),您的站點(diǎn)使用HTTP訪問; 這是因?yàn)楣粽呖赡軙?huì)攔截 HTTP 連接并注入頭部或?qū)⑵鋭h除。當(dāng)通過 HTTPS 訪問您的站點(diǎn)而不出現(xiàn)證書錯(cuò)誤時(shí),瀏覽器知道您的站點(diǎn)具有 HTTPS 功能,并會(huì)兌現(xiàn)Strict-Transport-Security標(biāo)題。

一個(gè)示例場景

您登錄機(jī)場的免費(fèi) WiFi 接入點(diǎn)并開始瀏覽網(wǎng)頁,訪問您的網(wǎng)上銀行服務(wù)以檢查您的余額并支付幾筆賬單。不幸的是,您使用的接入點(diǎn)實(shí)際上是黑客的筆記本電腦,它們攔截您的原始 HTTP 請求,并將您重定向到銀行網(wǎng)站的克隆而不是真實(shí)的東西?,F(xiàn)在你的私人數(shù)據(jù)暴露給黑客。

嚴(yán)格的交通安全解決了這個(gè)問題。只要您使用 HTTPS 訪問過您的銀行網(wǎng)站,并且該銀行的網(wǎng)站使用嚴(yán)格的傳輸安全性,您的瀏覽器就會(huì)知道只會(huì)自動(dòng)使用 HTTPS,這可以防止黑客執(zhí)行這種“中間人”攻擊。

瀏覽器如何處理它

您的網(wǎng)站首次使用 HTTPS 訪問并返回Strict-Transport-Security標(biāo)題時(shí),瀏覽器會(huì)記錄此信息,以便將來嘗試使用 HTTP 加載網(wǎng)站時(shí)會(huì)自動(dòng)使用 HTTPS。

當(dāng) Strict-Transport-Security 標(biāo)頭指定的到期時(shí)間過去時(shí),下一次通過 HTTP 加載站點(diǎn)的嘗試將照常進(jìn)行,而不是自動(dòng)使用 HTTPS。

無論何時(shí)將 Strict-Transport-Security 頭傳遞給瀏覽器,它都會(huì)更新該站點(diǎn)的到期時(shí)間,以便站點(diǎn)可以刷新此信息并防止超時(shí)過期。如果需要禁用嚴(yán)格傳輸安全性,則將 max-age 設(shè)置為0(通過 https 連接)將立即使Strict-Transport-Security標(biāo)題失效,從而允許通過 http 訪問。

預(yù)加載嚴(yán)格的運(yùn)輸安全

Google 維護(hù)一個(gè) HSTS 預(yù)加載服務(wù)。按照指南并成功提交您的域名,瀏覽器將永遠(yuǎn)不會(huì)使用不安全的連接連接到您的域名。雖然該服務(wù)由 Google 托管,但所有瀏覽器都表示有意使用(或?qū)嶋H開始使用)預(yù)加載列表。

  • 有關(guān) Chrome 中的 HSTS 預(yù)加載列表的信息:https://www.chromium.org/hsts

  • Firefox HSTS 預(yù)載列表的咨詢:nsSTSPreloadList.inc

例子

所有現(xiàn)在和將來的子域名都是 HTTPS,最大年齡為1年。這會(huì)阻止訪問只能通過 HTTP 提供服務(wù)的頁面或子域。

Strict-Transport-Security: max-age=31536000; includeSubDomains

產(chǎn)品規(guī)格

Specification

Status

Comment

HTTP Strict Transport Security (HSTS)

IETF RFC

Initial definition

瀏覽器兼容性

Feature

Chrome

Firefox

Edge

Internet Explorer

Opera

Safari

Basic Support

4.0

4

12

11

12

7

Feature

Android

Chrome for Android

Edge mobile

Firefox for Android

IE mobile

Opera Android

iOS Safari

Basic Support

4.4

18

(Yes)

(Yes)

?

?

8.4

上一篇: 下一篇: