我想在我的 Django 设置中实现 SECURE_HSTS_SECONDS 以提高安全性 - 但是 Django 文档的警告让我有点害怕,所以我想要一些说明。内容如下:
SECURE_HSTS_SECONDS
Default: 0
If set to a non-zero integer value, the SecurityMiddleware sets the HTTP Strict Transport Security header on all responses that do not already have it.
Warning: Setting this incorrectly can irreversibly (for some time) break your site. Read the HTTP Strict Transport Security documentation first.
要“破坏我的网站”必须发生什么?我首先阅读了 HTTP Strict Transport Security 文档,但它并没有让我更清楚。
最佳答案
HTTP Strict Transport Security
HTTP Strict Transport Security lets a web site inform the browser that it should never load the site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead. It consists in one HTTP header, Strict-Transport-Security, sent back by the server with the resource.
换句话说,如果您将 SECURE_HSTS_SECONDS 的值设置为例如518400(6 天)您的网络服务器将在您的客户第一次访问您的网站时通知他的浏览器,以便将来通过 https 独占访问您的网站。这适用于整个定义的时间段。如果出于任何原因您不再通过 https 访问您的网站,则浏览器将无法再访问您的服务。
因此,您应该首先将此变量设置为较低的值,例如 60 秒,并确保一切按预期运行,否则您可能会阻止您自己和您的客户访问您的网站。
Browsers properly respecting the
HSTSheader will refuse to allow users to bypass warnings and connect to a site with an expired, self-signed, or otherwise invalid SSL certificate. If you use HSTS, make sure your certificates are in good shape and stay that way! Source
关于python - 设置 SECURE_HSTS_SECONDS 会不可逆转地破坏您的网站吗?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/49166768/