如何查找网站是否使用HSTS

时间:2012-07-30 08:28:20

标签: curl https header

我完全不知道卷曲,并试图确定网站是否使用Strict-Transport-Security。

我正在接受建议。我被告知要检查Chrome's preloaded list并运行

curl -D - https://www.example.com | head -n 20

检查Strict-Transport-Security标头。

但是'head'命令产生了错误并且未知。

有什么想法吗?

ATM我正在运行Win XP,几天后就会有一个Linux发行版。

感谢。

3 个答案:

答案 0 :(得分:21)

这种方法很好。

$ curl -s -D- https://paypal.com/ | grep Strict
Strict-Transport-Security: max-age=14400

正如您所注意到的,有些网络服务器拒绝接受HEAD次请求。 curl将使用GET打印-v请求的标头:

$ curl -s -vv https://paypal.com/ 2>&1 | grep Strict
< Strict-Transport-Security: max-age=14400

<表示标题是服务器返回给您的标题。

在您的示例中,实际example.com无法正常工作,因为它根本不会在https://上收听:

$ curl -D- https://www.example.com
curl: (7) couldn't connect to host

由于Strict-Transport-Security标题只有在https://上方传递时才会受到尊重,因此可以非常安全地假设任何在{{1}上无响应的网站我没有使用STS,特别是因为它没有理由这样做。

答案 1 :(得分:1)

Chrome具有HSTS检查功能chrome://net-internals#hsts

但请注意,只要您通过https请求网站,Chrome也会喜欢添加条目。

只是将Chrome重定向到https,以获取没有https证书的内部网站。甚至没有听443.不出意外的卷曲没有返回严格的标题。然后我发现chrome有一个内部HSTS列表。可以从chrome:// net-internals #hsts清除,不包括全球Google维护列表。

答案 2 :(得分:0)

[通过@FauxFaux扩大答案]

我想看看我的网站与业内其他网站相比如何。因此,我编写了一个bash for循环。我发现有些站点不仅对待HEAD的请求与对待GET的对待不同,而且它们(亚马逊和微软)对curl的对待也不同于实际的浏览器。因此,我在请求中添加了一些标头以获得真实的响应。

脚本

# NOTE: You can copy/paste this whole block straight into a bash shell

apex_domains=(
    paypal.com
    amazon.com
    google.com
    microsoft.com
)
curl_command=`
`"curl -svo /dev/null "`
    `"-H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) "`
        `"AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36' "`
    `"-H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif"`
        `",image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' "`
    `"-H 'accept-language: en-US,en;q=0.9' "`
    `"--compressed"

for domain in "${apex_domains[@]}"; do
    for scheme in 'http' 'https'; do
        for subdomain in '' 'www.'; do
            echo -e         "\n""  ${scheme}://${subdomain}${domain}"
            echo "  $curl_command  ${scheme}://${subdomain}${domain}"
            eval   "$curl_command  ${scheme}://${subdomain}${domain}" 2>&1 | \
                tr -d '\r' | grep -i --color=always 'strict-transport-security.*';
        done
    done
done

输出

因为突出显示了grepped标头,所以输出在终端上看起来更好。

  http://paypal.com
  curl -svo /dev/null -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36' -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' -H 'accept-language: en-US,en;q=0.9' --compressed  http://paypal.com

  http://www.paypal.com
  curl -svo /dev/null -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36' -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' -H 'accept-language: en-US,en;q=0.9' --compressed  http://www.paypal.com

  https://paypal.com
  curl -svo /dev/null -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36' -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' -H 'accept-language: en-US,en;q=0.9' --compressed  https://paypal.com
< strict-transport-security: max-age=31536000; includeSubDomains

  https://www.paypal.com
  curl -svo /dev/null -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36' -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' -H 'accept-language: en-US,en;q=0.9' --compressed  https://www.paypal.com
< strict-transport-security: max-age=63072000; includeSubDomains; preload

  http://amazon.com
  curl -svo /dev/null -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36' -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' -H 'accept-language: en-US,en;q=0.9' --compressed  http://amazon.com

  http://www.amazon.com
  curl -svo /dev/null -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36' -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' -H 'accept-language: en-US,en;q=0.9' --compressed  http://www.amazon.com

  https://amazon.com
  curl -svo /dev/null -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36' -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' -H 'accept-language: en-US,en;q=0.9' --compressed  https://amazon.com

  https://www.amazon.com
  curl -svo /dev/null -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36' -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' -H 'accept-language: en-US,en;q=0.9' --compressed  https://www.amazon.com
< strict-transport-security: max-age=47474747; includeSubDomains; preload

  http://google.com
  curl -svo /dev/null -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36' -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' -H 'accept-language: en-US,en;q=0.9' --compressed  http://google.com

  http://www.google.com
  curl -svo /dev/null -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36' -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' -H 'accept-language: en-US,en;q=0.9' --compressed  http://www.google.com

  https://google.com
  curl -svo /dev/null -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36' -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' -H 'accept-language: en-US,en;q=0.9' --compressed  https://google.com

  https://www.google.com
  curl -svo /dev/null -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36' -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' -H 'accept-language: en-US,en;q=0.9' --compressed  https://www.google.com
< strict-transport-security: max-age=31536000

  http://microsoft.com
  curl -svo /dev/null -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36' -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' -H 'accept-language: en-US,en;q=0.9' --compressed  http://microsoft.com

  http://www.microsoft.com
  curl -svo /dev/null -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36' -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' -H 'accept-language: en-US,en;q=0.9' --compressed  http://www.microsoft.com

  https://microsoft.com
  curl -svo /dev/null -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36' -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' -H 'accept-language: en-US,en;q=0.9' --compressed  https://microsoft.com

  https://www.microsoft.com
  curl -svo /dev/null -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36' -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' -H 'accept-language: en-US,en;q=0.9' --compressed  https://www.microsoft.com
< strict-transport-security: max-age=31536000
相关问题
最新问题