严格传输安全头应如何应用于 www 子域?

huangapple go评论66阅读模式
英文:

How strict transport security header should applied on www subdomain?

问题

我想要将 严格传输安全 标头添加到我的网站 https 响应中,采用 includeSubDomainspreload 选项。看起来会像这样:
> Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

此外,我的托管提供商有以下重定向流程:

  1. http -> https -> https://www.
  2. https -> https://www.

这意味着用户总是会进入 https://www. 的网址。

我注意到亚马逊有类似的重定向流程。请参见下面的图片。

并且它仅在 www 回应上返回 hsts 标头。另外,我检查了 hsts 预加载注册 网站 列表,注册了 www.amazon.de,但没有注册 amazon.de。

因此,我有以下几个问题:

  1. 如果我在 www.example.com 上添加 includeSubDomains 的 hsts,这意味着其他子域名如 admin.example.com 将不受保护吗?也许 www 子域名有一些例外情况?
  2. 如果我将 www.example.com 注册到 hsts 预加载注册列表,这意味着 example.com 对第一个请求仍然没有受到保护吗?
  3. 当你已经有 http->https 重定向且基本域名(example.com)未预加载时,在 www 网站上具有 hsts 的意义是什么(比如亚马逊的示例)?

严格传输安全头应如何应用于 www 子域?严格传输安全头应如何应用于 www 子域?

英文:

I want to add strict transport security header to my website https response with includeSubDomains and preload options. Which would look like this:
> Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Also, my hosting providers have these redirect flows:

  1. http -> https -> https://www.
  2. https -> https://www.

That means users always end up at https://www. url.

I noticed that Amazon has a similar redirect flow. See images below.

And it returns hsts header only on www response. Also, I checked hsts preload registration website list and it has registered www.amazon.de but not amazon.de.

So, I have the following questions:

  1. If I add hsts with includeSubDomains on www.example.com that means other subdomains like admin.example.com won't be protected? Maybe there are some exceptions for www subdomain?
  2. If I register www.example.com to hsts preload registration list, this means that example.com still won't be protected against first request?
  3. What is the point of having hsts on www website when you have anyways http->https redirects and base domain(example.com) is not preloaded(amazon example)?

严格传输安全头应如何应用于 www 子域?严格传输安全头应如何应用于 www 子域?

答案1

得分: 1

If I add hsts with includeSubDomains on www.example.com that means other subdomains like admin.example.com won't be protected?

是的。根据RFC 6797的描述:

6.1.2. The includeSubDomains Directive

可选的“includeSubDomains”指令是一个无值的指令,如果存在(即被“断言”),则向用户代理(UA)发出信号,表明HSTS策略适用于此HSTS主机以及主机域名的任何子域。

对于www子域没有特殊规则。


If I register www.example.com to hsts preload registration list, this means that example.com still won't be protected against first request?

你只能注册example.com,而不能注册www.example.com - 自行查看。通常,你只能注册etld+1

如果你是一个非常大的公司,可能会获得特殊例外。请参阅Chromium preload文件 - 对于Google、Amazon等一些公司,有特殊规则,但其他人只能预加载整个域名。


What is the point of having hsts on www website when you have anyways http->https redirects and base domain(example.com) is not preloaded(amazon example)?

这意味着浏览器对amazon.com的第一个请求是不安全的,但在第一个请求之后,浏览器将记住HSTS标头,随后对amazon.com的请求将是安全的。如果他们有重定向但没有HSTS,那么对amazon.com的每个请求都将是不安全的。

英文:

> If I add hsts with includeSubDomains on www.example.com that means other subdomains like admin.example.com won't be protected?

Yes. From RFC 6797:

> 6.1.2. The includeSubDomains Directive
>
> The OPTIONAL "includeSubDomains" directive is a valueless directive
which, if present (i.e., it is "asserted"), signals the UA that the
HSTS Policy applies to this HSTS Host as well as any subdomains of
the host's domain name.

There are no special rules for the www subdomain.


> If I register www.example.com to hsts preload registration list, this means that example.com still won't be protected against first request?

You can only register example.com, not www.example.com - see for yourself. Generally, you can only register an etld+1.

You might be able to get an exception if you're a very large company. See the Chromium preload file - there are special rules for Google, Amazon and a few others, but everyone else can only preload whole domains.


> What is the point of having hsts on www website when you have anyways http->https redirects and base domain(example.com) is not preloaded(amazon example)?

This means that a browsers first request to amazon.com is insecure, but after the first request the browser will remember the HSTS header and subsequent requests to amazon.com will be secure. If they had the redirect but no HSTS, every request to amazon.com would be insecure.

huangapple
  • 本文由 发表于 2023年6月22日 18:07:44
  • 转载请务必保留本文链接:https://go.coder-hub.com/76530783.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定