HTTP Strict Transport Security (简称HSTS) ,是一个安全特性,可以让一个网站告诉浏览器它只能使用HTTPS访问,而不是使用HTTP。本教程教您如何在服务器上配置HSTS。

Apache

#必须加载headers模块: LoadModuleheaders_modulemodules/mod_headers.so <VirtualHost*:443> HeaderalwayssetStrict-Transport-Security"max-age=63072000;includeSubdomains;" HeaderalwayssetX-Frame-OptionsDENY </VirtualHost> #80端口301跳转到HTTPS <VirtualHost*:80> [...] <IfModulemod_rewrite.c> RewriteEngineOn RewriteCond%{HTTPS}off RewriteRule(.*)https://%{HTTP_HOST}%{REQUEST_URI} </IfModule> </VirtualHost>

Nginx

add_headerStrict-Transport-Security"max-age=63072000;includeSubdomains;"; add_headerX-Frame-Options"DENY";

Lighttpd

server.modules+=("mod_setenv") $HTTP["scheme"]=="https"{ setenv.add-response-header=("Strict-Transport-Security"=>"max-age=63072000;includeSubdomains;") setenv.add-response-header=("X-Frame-Options"=>"DENY") }