HTTP Strict Transport Security (简称 HSTS) , 是一个安全特性,可以让一个网站告诉浏览器它只能使用HTTPS访问,而不是使用HTTP。本教程教您如何在服务器上配置HSTS。

Apache

# 必须加载 headers 模块:
LoadModule headers_module modules/mod_headers.so
<VirtualHost *:443>
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
Header always set X-Frame-Options DENY
</VirtualHost>
#80端口 301跳转到HTTPS
<VirtualHost *:80>
[...]
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</IfModule>
</VirtualHost>

 

Nginx

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; ";
add_header X-Frame-Options "DENY";

Lighttpd

server.modules += ( "mod_setenv" )
$HTTP["scheme"] == "https" {
setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=63072000; includeSubdomains; ")
setenv.add-response-header = ( "X-Frame-Options" => "DENY")
}