1.設定header加上Strict-Transport-Security和持續時間 <system.webServer> <httpProtocol> <customHeaders> <add name="Strict-Transport-Security" value="max-age=31536000"/> </customHeaders> </httpProtocol> </system.webServer> 不過這邊要特別注意的是要在HTTPS下送出這個Header,而不要在HTTP狀態下送出這個Header 因為根據 HSTS (RFC6797) spec 有提到 An HTTP host declares itself an HSTS Host by issuing to UAs (User Agents) an HSTS Policy, which is represented by and conveyed via the Strict-Transport-Security HTTP response header field over secure transport (e.g., TLS). 2.利用Rewrite模組強制使HTTP連線導致HTTPS <system.webServer> <rewrite> <rules> <rule name="HTTP to HTTPS redirect" stopProcessing="true"> <match url="(.*)" /> <conditions> <add input="{HTTPS}" pattern="o...
留言
張貼留言