在Azure WebRoles中启用HTTP严格传输安全性(HSTS)

时间:2014-02-19 17:12:01

标签: asp.net security iis azure

如何为Azure WebRoles启用HTTP严格传输安全性(HSTS)?

2 个答案:

答案 0 :(得分:23)

接受的答案令人困惑,correct answer(在ServerFault上)隐藏在评论中,所以我在这里快速回顾一下。基本上这就是你想要做的事情:

  1. 将所有HTTP请求重定向到HTTPS
  2. Strict-Transport-Security标头添加到所有HTTPS请求
  3. 适当的web.config如下所示:

    <?xml version="1.0" encoding="UTF-8"?>
    <configuration>
        <system.webServer>
            <rewrite>
                <rules>
                    <rule name="HTTP to HTTPS redirect" stopProcessing="true">
                        <match url="(.*)" />
                        <conditions>
                            <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                        </conditions>
                        <action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
                            redirectType="Permanent" />
                    </rule>
                </rules>
                <outboundRules>
                    <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
                        <match serverVariable="RESPONSE_Strict_Transport_Security"
                            pattern=".*" />
                        <conditions>
                            <add input="{HTTPS}" pattern="on" ignoreCase="true" />
                        </conditions>
                        <action type="Rewrite" value="max-age=31536000" />
                    </rule>
                </outboundRules>
            </rewrite>
        </system.webServer>
    </configuration>
    

    如果您想遵守HSTS preload,那么您在includeSubDomains标题中也需要preloadStrict_Transport_Security。这是我的完全重写配置,包括顶点重定向(我是一个yes-www人)和简单的本地开发设置(localhost上没有HTTPS):

    <rewrite>
      <rules>
        <rule name="Redirect to HTTPS" stopProcessing="true">
          <match url="(.*)" />
          <conditions logicalGrouping="MatchAll">
            <add input="{SERVER_NAME}" pattern="^localhost$" negate="true" />
            <add input="{HTTPS}" pattern="off" ignoreCase="true" />
          </conditions>
          <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
        </rule>
        <rule name="Redirect to www" stopProcessing="true">
          <match url="(.*)" />
          <conditions>
            <add input="{HTTP_HOST}" pattern="^yourdomain\.com" ignoreCase="true" />
          </conditions>
          <action type="Redirect" url="https://www.yourdomain.com/{R:1}" 
               redirectType="Permanent" />
        </rule>
      </rules>
      <outboundRules>
        <rule name="HSTS" enabled="true">
          <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
          <conditions>
            <add input="{HTTPS}" pattern="on" ignoreCase="true" />
          </conditions>
          <action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />
        </rule>
      </outboundRules>
    </rewrite>
    

    当然,请将yourdomain与您的实际域名切换。

答案 1 :(得分:7)

有一个IIS模块可以使HSTS符合HSTS草案规范(RFC 6797);你可以在https://hstsiis.codeplex.com/

找到它

请勿尝试:

<system.webServer>
    <httpProtocol>
        <customHeaders>
            <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains"/>
        </customHeaders>
    </httpProtocol>
</system.webServer>

因为这将在非安全传输的HTTP响应中包含STS标头。