Chrome 强制一个网站使用 HTTPS

有一些网站通过 HTTP 和 HTTPS 都可以访问。比如 http://www.kuaidi100.com 和 https://www.kuaidi100.com 均可以访问网站。这篇文章讲解了一个 Chrome 里最轻量的重定向强制使用 HTTPS 方法。

0x00 – 准备

首先请访问 HTTPS 的网址。如果可以正常访问,请往下看。

0x01 – 配置本地 HSTS 规则

进入 Domain Security Policy 页面:chrome://net-internals/#hsts(需复制前往)

在 HSTS/PKP 下面的 Add HSTS/PKP domain 里添加新的 HSTS 规则:

如果只添加单域名 www.kuaidi100.com

如果添加域名及所有子域名 kuaidi100.com, *.kuaidi100.com

大功告成!以后浏览器访问 HTTP 的网址会自动被重定向到 HTTPS 版本。注意:如果网站 HTTPS 版本配置错误或者无法访问,请使用网页中的 Delete domain security policies 功能移除它。

0x02 – 更多信息

服务器端配置 HSTS 及 HSTS 扫盲:

谷歌是如何实现 .app.dev 等域名的强制 HTTPS 重定向?

在 2018 年 5 月 8 日开放注册的 .app 域名是第一个全域强制 HTTPS 的公开注册的域名。它的实现方法便是上面链接「HSTS Preload List」内所说的添加 HSTS 进入 Chrome 及 Firefox 浏览器源码。目前强制 HSTS 的顶级域名可见这个链接里的源码。

    // gTLDs and eTLDs are welcome to preload if they are interested.
    { "name": "android", "policy": "public-suffix", "mode": "force-https", "include_subdomains": true },
    { "name": "app", "policy": "public-suffix", "mode": "force-https", "include_subdomains": true },
    { "name": "bank", "policy": "public-suffix", "mode": "force-https", "include_subdomains": true },
    { "name": "chrome", "policy": "public-suffix", "mode": "force-https", "include_subdomains": true },
    { "name": "dev", "policy": "public-suffix", "mode": "force-https", "include_subdomains": true },
    { "name": "foo", "policy": "public-suffix", "mode": "force-https", "include_subdomains": true },
    { "name": "gle", "policy": "public-suffix", "mode": "force-https", "include_subdomains": true },
    { "name": "gmail", "policy": "public-suffix", "mode": "force-https", "include_subdomains": true },
    { "name": "google", "policy": "public-suffix", "mode": "force-https", "include_subdomains": true, "pins": "google" },
    { "name": "hangout", "policy": "public-suffix", "mode": "force-https", "include_subdomains": true, "pins": "google" },
    { "name": "insurance", "policy": "public-suffix", "mode": "force-https", "include_subdomains": true },
    { "name": "meet", "policy": "public-suffix", "mode": "force-https", "include_subdomains": true },
    { "name": "new", "policy": "public-suffix", "mode": "force-https", "include_subdomains": true },
    { "name": "page", "policy": "public-suffix", "mode": "force-https", "include_subdomains": true },
    { "name": "play", "policy": "public-suffix", "mode": "force-https", "include_subdomains": true },
    { "name": "search", "policy": "public-suffix", "mode": "force-https", "include_subdomains": true },
    { "name": "youtube", "policy": "public-suffix", "mode": "force-https", "include_subdomains": true },

也可查看浏览器 chrome://net-internals/#hsts 的 HSTS 部分:.app 的 HSHS 记录

本文链接:https://blog.whe.me/post/chrome-force-https.html

— EOF —

转载链接:https://blog.whe.me/post/chrome-force-https.html

发表评论

您的电子邮箱地址不会被公开。 必填项已用*标注