If I have already enabled HSTS header from my server side, then why Google Chrome is ignoring it? I can access website freely with http. I am expecting that Browser should force website to load in the HTTPS only. After all, HSTS is for that purpose. Please correct me if I am wrong. Ref: Video
Connection:keep-alive
Content-Encoding:gzip
Content-Type:text/html; charset=UTF-8
Date:Mon, 18 Dec 2017 07:15:18 GMT
Link:<http://example.com/wp-json/>; rel="https://api.w.org/"
Server:nginx
Set-Cookie:wfvt_1954975060=5a376b06351b6; expires=Mon, 18-Dec-2017 07:45:18 GMT; Max-Age=1800; path=/; HttpOnly
Strict-Transport-Security:max-age=63072000; includeSubdomains;
Transfer-Encoding:chunked
Vary:Accept-Encoding
答案 0 :(得分:2)
The {"success":true,"attr":{"x":729286.95500188,"y":4021544.8279993,"zone":40,"aboveEquator":true}}
header is only valid on HTTPS pages. It is ignored on HTTP pages -- if you want to force users to use HTTPS, redirect them to HTTPS from all HTTP pages, and present a Strict-Transport-Security header on the page they are redirected to.
Note: The
Strict-Transport-Securityheader is ignored by the browser when your site is accessed using HTTP; this is because an attacker may intercept HTTP connections and inject the header or remove it. When your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS capable and will honor theStrict-Transport-Securityheader.