IIS 啟用HTTP Strict Transport Security (HSTS)

1.設定header加上Strict-Transport-Security和持續時間
<system.webServer>
    <httpProtocol>
        <customHeaders>
            <add name="Strict-Transport-Security" value="max-age=31536000"/>
        </customHeaders>
    </httpProtocol>
</system.webServer>
不過這邊要特別注意的是要在HTTPS下送出這個Header,而不要在HTTP狀態下送出這個Header
因為根據HSTS (RFC6797) spec 有提到
An HTTP host declares itself an HSTS Host by issuing to UAs (User Agents) an HSTS Policy, which is represented by and conveyed via the
Strict-Transport-Security HTTP response header field over secure transport (e.g., TLS).
2.利用Rewrite模組強制使HTTP連線導致HTTPS
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="HTTP to HTTPS redirect" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
                        redirectType="Permanent" />
                </rule>
            </rules>
            <outboundRules>
                <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
                    <match serverVariable="RESPONSE_Strict_Transport_Security"
                        pattern=".*" />
                    <conditions>
                        <add input="{HTTPS}" pattern="on" ignoreCase="true" />
                    </conditions>
                    <action type="Rewrite" value="max-age=31536000" />
                </rule>
            </outboundRules>
        </rewrite>
    </system.webServer>

留言

張貼留言

這個網誌中的熱門文章

解決WCF(REST)在https出現檔案找不到錯誤

最近發生的問題 在網站掛上https之後 一些WCF(REST)服務出現在https出現檔案找不到錯誤 但http狀態下卻是正常的 發現原來是要對設定黨做一些調整 以下是調整後的範例 <system.serviceModel> <bindings> <webHttpBinding> <binding name="Binding" crossDomainScriptAccessEnabled="true"> <security mode="Transport"> <transport clientCredentialType="None" /> </security> </binding> <binding name="httpbind" crossDomainScriptAccessEnabled="true"> </binding> </webHttpBinding> </bindings> <behaviors> <serviceBehaviors> <behavior name="returnFaults"> <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/> <serviceDebug includeExceptionDetailInFaults="false"/> </behavior> </serviceBehaviors> <endpointB
閱讀完整內容

Azure Web Apps 讀取憑證

一般當我們在本機能正常運作的東西 常常放到雲端就不Work了 很多問題其實就在於雲端環境的差異與限制 例如這次研究的問題->讀取憑證資訊 以下就介紹Azure Web Apps環境下 憑證如何放置與讀取的差異 一般我們系統要讀取的憑證會放在 StoreLocation.LocalMachine Azure Web Apps上傳後的憑證是放在 StoreLocation.CurrentUser 要讓程式能讀取到要讀取的憑證還要設定憑證的設定檔 否則就算你上傳憑證之後還是找不到 APP Setting中新增憑證讀取參數 WEBSITE_LOAD_CERTIFICATES 和憑證指紋(thumbprint) 或者也可以設定"*"(不需要引號)就會讀取全部憑證 這樣就能順利讀取 以下是憑證讀取範例 using System; using System.Security.Cryptography.X509Certificates;namespace UseCertificateInAzureWebsiteApp { class Program { static void Main(string[] args) { X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser); certStore.Open(OpenFlags.ReadOnly); X509Certificate2Collection certCollection = certStore.Certificates.Find( X509FindType.FindByThumbprint, // 憑證指紋 “E661583E8FABEF4C0BEF694CBC41C28FB81CD870”, false);
閱讀完整內容