Turn on HSTS for your site
HTTP-Strict-Transport-Security is referred to as HSTS for short and is an HTTP response header. Used to notify that the browser should only access the site via HTTPS, and that all attempts to access the site using HTTP should be automatically converted to HTTPS.
Intermediate hijacking
When a user visits a website in an unknown risk network environment, such as visiting http://example.com, in this unknown risk network environment, Others may intercept the network request issued by the user and then jump to a exactly the same phishing website, or inject harmful codes, advertisements, etc. into the requested content. This kind of attack is called Middleman Hijacking.
When example.com also supports the https protocol for access, if the user directly accesses through the https protocol, it can be effectively prevented to a certain extent. The middleman hijacked.
If the user still accesses through the http protocol, although the server can redirect to the https request, in this process, the middleman can still Get the content by intercepting the http request, and then launching a https request to the server, and injecting new content back to the user.
The user enters example.com in the browser address bar, and the browser initiates a http request by default, which makes it difficult for us to require users to access through the domain name. When you are on the website, be sure to enter https://example.com.
To limit the potential attack method of man in the middle hijacking, one way to deal with it is to force the browser to use the https protocol to access the website. To do this, we need to enable HSTS for the website.
HSTS
HSTS enables and configures policies by declaring the HTTP header field HTTP-Strict-Transport-Security:
Strict-Transport-Security: max-age=<expire-time>
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Strict-Transport-Security: max-age=<expire-time>; preloadInstructions
max-age=<expire-time>
Set the HTTPS request for any request to access this domain name within seconds after the browser receives this request.
includeSubDomains Optional
If this optional parameter is specified, this rule also applies to all subdomains of the website.
preload Optional
View Preload HSTS for details. Not part of the standard.
Browser processing
When the website is turned on
HSTS
When the user first accesses the website through the https protocol, the server responds to the Strict-Transport-Security header, and the browser records the information. When you revisit the website in the future, the http request to visit the website will be automatically replaced with https.
When the expiration time set by the HSTS header has arrived, the access to HTTP will be restored to normal mode later and will not automatically jump to HTTPS.
Every time the browser receives the Strict-Transport-Security header, it will update the expiration time of the website, so the website can refresh this information to prevent expiration from happening.
In Chrome, Firefox and other browsers, when trying to access the content under the domain name, a 307 Internal Redirect will be generated, which will automatically jump to the HTTPS request.
Preload
If the user still uses the http protocol when visiting the website for the first time, the browser will ignore Strict-Transport-Security, and the middleman can still hijack the requested content and delete Strict-Transport-Security.
To further deal with this issue, browser manufacturers such as Google, Firefox maintained a HSTS preload service.
You can submit your site domain name with HSTS enabled to the preload service, and the browser will never use a non-secure way to connect to your domain name.
However, this is not part of the HSTS standard and should not be regarded as formal content.
Example
The current domain name, as well as all subdomains, enable HSTS, and the expiration time is one year.
Strict-Transport-Security: max-age=31536000; includeSubDomains