如果我已经从服务器端启用了 HSTS header ,那么为什么 Google Chrome 会忽略它?我可以通过http自由访问网站。我期望浏览器应该强制网站仅加载 HTTPS。毕竟 HSTS 就是为了这个目的。如果我错了,请纠正我。 引用:Video
Connection:keep-alive
Content-Encoding:gzip
Content-Type:text/html; charset=UTF-8
Date:Mon, 18 Dec 2017 07:15:18 GMT
Link:<http://example.com/wp-json/>; rel="https://api.w.org/"
Server:nginx
Set-Cookie:wfvt_1954975060=5a376b06351b6; expires=Mon, 18-Dec-2017 07:45:18 GMT; Max-Age=1800; path=/; HttpOnly
Strict-Transport-Security:max-age=63072000; includeSubdomains;
Transfer-Encoding:chunked
Vary:Accept-Encoding
最佳答案
Strict-Transport-Security header 仅在 HTTPS 页面上有效。它在 HTTP 页面上被忽略 - 如果您想强制用户使用 HTTPS,请将他们从所有 HTTP 页面重定向到 HTTPS,并在他们重定向到的页面上显示 Strict-Transport-Security header .
Note: The
Strict-Transport-Securityheader is ignored by the browser when your site is accessed using HTTP; this is because an attacker may intercept HTTP connections and inject the header or remove it. When your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS capable and will honor theStrict-Transport-Securityheader.
关于google-chrome - 如果存在 HSTS header ,为什么 Chrome 不强制使用 HTTPS?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/47863724/