hsts

问题 I have created several virtual hosts for my development processes. They were working just fine till yesterday. But in my chrome app, today they stopped working. Chrome shows: NET::ERR_CERT_AUTHORITY_INVALID All my vhosts end with .dev . I changed one .dev to .work and its again working. But I can not do this for all vhosts as there are too many of them. What do I do? PS : They are working fine in firefox. The error remains same in chrome incognito mode. I tried clearing cache and hard reload,

问题 I have inserted the following in the .htaccess of my site in order to be admitted to the HSTS preload list: <ifModule mod_headers.c> Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" </ifModule> The problem is that when I submit my site, I obtain: Warning: Unnecessary HSTS header over HTTP. The HTTP page at http: //fabriziorocca.it sends an HSTS header. This has no effect over HTTP, and should be removed. At the moment I use the following in the

问题 Trust you all well. My web application run on tomcat 6.0.43 and do not use apache or nginx at front. I'm already enforce my web from http redirect to https using: URL Redirect at ../webapps/ROOT/index.jsp <% response.sendRedirect("https://www.epi.com.my/portal/"); %> ../webapps/myapp/WEB-INF/web.xml <security-constraint> <web-resource-collection> <web-resource-name>Protected Context</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport

问题 This is a followup question to Google Chrome redirecting localhost to https. Does anyone know, how to permanently exclude localhost from HSTS list in Google Chrome? Or, any other elegant solution that wouldn't require developer to visit chrome://net-internals/#hsts and delete localhost every time when switching from working on an HTTPS project to a different project on HTTP? 回答1: Update: You can install a proper SSL certificate for those domains if you want to for free, so you won't need to

问题 I had a Rails application with config.force_ssl = true , but now I dont want SSL encryption, but my app is still redirecting to https. I read this is a HTTP Strict Transport Security problem on Apache. How can I disable it? 回答1: It's not a problem with Apache, but with the fact that Rails sends an HSTS header. In Chrome, you can clear the HSTS state by going into about:net-internals , as described in ImperialViolet: HSTS UI in Chrome. You may also have to clear the cache, since config.force

问题 In my project, HSTS is enabled. So if someone is tryig to use the site using the HTTP then it redirects to HTTPS. After the Security scan, it is reported that ttf, woff and woff2 files are ignoring the HSTS. Example 1: On Google Crome if i am trying below URL then it redirects to HTTPS: http://example.com/backend/web/lib/roboto/Roboto-Light.woff2 then it redirects to https://example.com/backend/web/lib/roboto/Roboto-Light.woff2 If i try same thing on Firefox then it just downloads the Roboto

问题 In a dev environment I have the problem that my browser (Yandex) redirects (307) an OPTIONS request to the https version of the URL. As we don't have SSL set up the request then fails with the error Response for preflight is invalid (redirect) . 回答1: I resolved this issue by configuring the the HSTS header as follows: @Configuration @EnableWebSecurity public class SecurityConfigurer extends WebSecurityConfigurerAdapter { ... @Override protected void configure(HttpSecurity http) throws

问题 I have an asp.net web application which is indexed by the search engines on the sub-domain "www". I don't really want to change that: requests to the root domain are all set up with a permanent redirect to the www version and that's all fine. I've enabled HSTS on the site, but the HSTS outbound header rule which I've added is never hit on the first request to the root of the domain because of the redirect. (It works fine for subsequent https requests, because there's no redirect). This is a

问题 I am currently doing some debugging on my website which involves calling the facebook API. I've installed dnsmasq to work with my mac os X to redirect all request to facebook.com to 127.0.0.1 I have a echo server which will print out all the raw http request header on port 80 on my laptop. Now comes my problem. When I access facebook.com, I realize chrome will automatically forward http:// to https:// for facebook.com I googled and found the way of deleting this HSTS issue. I visit chrome:/

问题 When reading the spec for HSTS (Strict-Transport-Security), I see an injunction in section 7.2 against sending the header when accessed over http instead of https: An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport. Why is this? What are the risks if this is violated? 回答1: The danger is to the availability of the website itself. If the website is able to respond (either now or in the future) over HTTP but not over HTTPS, it will semi