google chrome 本身有檢測的功能
chrome://net-internals/#hsts
Apache 啟用HSTS
1.編輯 httpd.conf
將Header Module 註解拿掉(uncomment)
LoadModule headers_module modules/mod_headers.so
方法一:
在網站根目錄新增 .htaccess檔案
<IfModule mod_headers.c>
Header set Strict-Transport-Security: max-age=10886400
</IfModule>
方法二:
在VirtualHost區域增加Header設定
<VirtualHost www.example.com:80>
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
</VirtualHost>
2.重啟Apache
IIS 啟用 HSTS
方法一:
1.打開IIS管理工具,選擇要設定的站點
2.HTTP回應標頭點兩下,並在右邊功能列選新增
3.新增回應標頭內容
名稱:Strict-Transport-Security
值:max-age=10886400
方法二:
1.在Web.Config設定
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Strict-Transport-Security" value="max-age=31536000"/>
</customHeaders>
</httpProtocol>
</system.webServer>
Tomcat 啟用HSTS
Tomcat 7,8 or above enable "HTTP Header Security Filter"
1.編輯tomcat/conf/web.xml
2.找到httpheadersecurity這個filter,並把前後的註解拿掉
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
</filter>
3.在步驟2的filter class後面新增
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
4.找到filter mapping 並將前後的註解拿掉
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
NGINX 啟用HSTS
1.編輯設定檔,在Server區塊下新增設定
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
2.重啟服務
沒有留言:
張貼留言