有一些网站通过 HTTP 和 HTTPS 都可以访问。比如 http://www.kuaidi100.com 和 https://www.kuaidi100.com 均可以访问网站。这篇文章讲解了一个 Chrome 里最轻量的重定向强制使用 HTTPS 方法。
0x00 – 准备
首先请访问 HTTPS 的网址。如果可以正常访问,请往下看。
0x01 – 配置本地 HSTS 规则
进入 Domain Security Policy 页面:chrome://net-internals/#hsts(需复制前往)
在 HSTS/PKP 下面的 Add HSTS/PKP domain 里添加新的 HSTS 规则:
如果只添加单域名 www.kuaidi100.com
- Domain:
www.kuaidi100.com
如果添加域名及所有子域名 kuaidi100.com, *.kuaidi100.com
- Domain:
kuaidi100.com - Include subdomains for STS: ☑️
大功告成!以后浏览器访问 HTTP 的网址会自动被重定向到 HTTPS 版本。注意:如果网站 HTTPS 版本配置错误或者无法访问,请使用网页中的 Delete domain security policies 功能移除它。
0x02 – 更多信息
服务器端配置 HSTS 及 HSTS 扫盲:
谷歌是如何实现 .app、.dev 等域名的强制 HTTPS 重定向?
在 2018 年 5 月 8 日开放注册的 .app 域名是第一个全域强制 HTTPS 的公开注册的域名。它的实现方法便是上面链接「HSTS Preload List」内所说的添加 HSTS 进入 Chrome 及 Firefox 浏览器源码。目前强制 HSTS 的顶级域名可见这个链接里的源码。
// gTLDs and eTLDs are welcome to preload if they are interested.
{ "name": "android", "policy": "public-suffix", "mode": "force-https", "include_subdomains": true },
{ "name": "app", "policy": "public-suffix", "mode": "force-https", "include_subdomains": true },
{ "name": "bank", "policy": "public-suffix", "mode": "force-https", "include_subdomains": true },
{ "name": "chrome", "policy": "public-suffix", "mode": "force-https", "include_subdomains": true },
{ "name": "dev", "policy": "public-suffix", "mode": "force-https", "include_subdomains": true },
{ "name": "foo", "policy": "public-suffix", "mode": "force-https", "include_subdomains": true },
{ "name": "gle", "policy": "public-suffix", "mode": "force-https", "include_subdomains": true },
{ "name": "gmail", "policy": "public-suffix", "mode": "force-https", "include_subdomains": true },
{ "name": "google", "policy": "public-suffix", "mode": "force-https", "include_subdomains": true, "pins": "google" },
{ "name": "hangout", "policy": "public-suffix", "mode": "force-https", "include_subdomains": true, "pins": "google" },
{ "name": "insurance", "policy": "public-suffix", "mode": "force-https", "include_subdomains": true },
{ "name": "meet", "policy": "public-suffix", "mode": "force-https", "include_subdomains": true },
{ "name": "new", "policy": "public-suffix", "mode": "force-https", "include_subdomains": true },
{ "name": "page", "policy": "public-suffix", "mode": "force-https", "include_subdomains": true },
{ "name": "play", "policy": "public-suffix", "mode": "force-https", "include_subdomains": true },
{ "name": "search", "policy": "public-suffix", "mode": "force-https", "include_subdomains": true },
{ "name": "youtube", "policy": "public-suffix", "mode": "force-https", "include_subdomains": true },
也可查看浏览器 chrome://net-internals/#hsts 的 HSTS 部分:
本文链接:https://blog.whe.me/post/chrome-force-https.html
— EOF —
转载链接:https://blog.whe.me/post/chrome-force-https.html
原创文章,作者:jessegold,如若转载,请注明出处:https://www.hero4u.cn/blog/2021/04/chrome-%e5%bc%ba%e5%88%b6%e4%b8%80%e4%b8%aa%e7%bd%91%e7%ab%99%e4%bd%bf%e7%94%a8-https/
