分类导航
程序笔记程序问答

htaccess 标头仅添加到非 www 子域而不是 www 子域,为什么

程序问答   发布时间:2022-06-01  发布网站:大佬教程  code.js-code.com
大佬教程收集整理的这篇文章主要介绍了htaccess 标头仅添加到非 www 子域而不是 www 子域,为什么大佬教程大佬觉得挺不错的,现在分享给大家,也给大家做个参考。

如何解决htaccess 标头仅添加到非 www 子域而不是 www 子域,为什么?

开发过程中遇到htaccess 标头仅添加到非 www 子域而不是 www 子域,为什么的问题如何解决?下面主要结合日常开发的经验,给出你关于htaccess 标头仅添加到非 www 子域而不是 www 子域,为什么的解决方法建议,希望对你解决htaccess 标头仅添加到非 www 子域而不是 www 子域,为什么有所启发或帮助;

我正在尝试通过文档根目录中的 htaccess 文件为用户提供的内容添加和编辑标题。我尝试添加或编辑的标题包括但不限于;

  1. http 严格传输安全
  2. 内容安全策略
  3. XSS 过滤
  4. 内容类型选项
  5. 框架选项
  6. X-Powered-By

为了实现这一点,我尝试在 Web 开发文档和在线论坛的指导下编写以下 htaccess 条目;

RewriteENGIne On
RewriteBase /

<IfModule mod_headers.c>

    # Use http Strict Transport Security to force clIEnt to use secure connections only
    #header always set Strict-Transport-Security "max-age=10886400; includeSubDomains; preload" env=httpS

    <if "%{httpS} == 'on'">
        header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    </if>

    #Treat insecure URLs as though they have been replaced with secure URLs 
    header always set Content-Security-Policy: upgrade-insecure-requests;

    #Enables XSS filtering. Rather than sanitizing the page,the browser will prevent rendering of the page.
    header always set X-XSS-Protection "1; mode=block"

    #A marker used by the server to inDicate the MIME types advertised in the Content-Type headers should not be changed & be followed
    header always set X-Content-Type-Options: nosniff

    #The page can only be displayed in a frame on the same origin as the page itself. 
    header always append x-frame-options SAMEORIGIN

    #Change the php Powered By header
    header always unset X-Powered-By
    header always set X-Powered-By " "

    header always edit Set-cookie ^(.*)$ $1;httpOnly;Secure;SameSite=Strict

</IfModule>

##############################################
# FORCE PORT 443 & WWW                       #
##############################################

RewriteCond %{httpS} !=on
RewriteRule ^(.*)$ https://%{http_HOST}%{requEST_URI} [L,R=301,NE]

#Force 443 no 80
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]

#Force WWW
RewriteCond %{http_HOST} !=""
RewriteCond %{http_HOST} !^www\. [NC]
RewriteCond %{httpS}s ^on(s)|
RewriteRule ^ http%1://www.%{http_HOST}%{requEST_URI} [R=301,L]

检查我的标头响应后,我注意到我的标头仅在非 www 子域上实现;

$curl --head https://example.com
http/2 301
content-type: text/HTML; charset=iso-8859-1
LOCATIOn: https://www.example.com/
date: Tue,09 Feb 2021 23:45:08 GMT
server: Apache
content-security-policy: upgrade-insecure-requests;
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-powered-by: 
Strict-transport-security: max-age=63072000; includeSubDomains; preload

而不是在带有 https 的 www 子域上;

$curl --head https://www.example.com
http/2 200
content-type: text/HTML; charset=UTF-8
date: Wed,10 Feb 2021 00:08:59 GMT
server: Apache
x-powered-by: php/8.0.1
expires: Thu,19 Nov 1981 08:52:00 GMT
cache-control: no-store,no-cache,must-revalIDate
pragma: no-cache
set-cookie: phpSESSID=3911aia9i7ai13iia40ia666i9aiai33; path=/

在www子域http请求中添加headers;

curl --head http://www.example.com
http/1.1 301 Moved PeRMANently
Content-Type: text/HTML; charset=iso-8859-1
Connection: keep-alive
Keep-Alive: timeout=15
Date: Wed,10 Feb 2021 00:49:15 GMT
Server: Apache
Content-Security-Policy: upgrade-insecure-requests;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
x-frame-options: SAMEORIGIN
X-Powered-By: 
LOCATIOn: https://www.example.com/

和非 www http 域;

$curl --head http://example.com
http/1.1 301 Moved PeRMANently
Content-Type: text/HTML; charset=iso-8859-1
Connection: keep-alive
Keep-Alive: timeout=15
Date: Wed,10 Feb 2021 00:49:28 GMT
Server: Apache
Content-Security-Policy: upgrade-insecure-requests;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
x-frame-options: SAMEORIGIN
X-Powered-By: 
LOCATIOn: https://example.com/

谁能指出为什么会发生这种情况,我相信这与我强制使用 httpS 和 WWW 的方式有关,但我不能 100% 确定。为了弄清楚出了什么问题,我简化了工作原理;

##############################################
# FORCE PORT 443                             #
##############################################

# http to httpS redirect
RewriteCond %{httpS} !=on
RewriteRule ^(.*)$ https://%{http_HOST}%{requEST_URI} [L,NE]

##############################################
# FORCE WWW                                  #
##############################################

# Canonical www redirect
RewriteCond %{http_HOST} !^www\.
RewriteRule (.*) https://www.%{http_HOST}/$1 [R,L]

##############################################
# http StriCT TRANSPORT Security             #
##############################################

<IfModule mod_headers.c>
    # Use http Strict Transport Security to force clIEnt to use secure connections only
    <if "%{httpS} == 'on'">
        header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    </if>
</IfModule>

如果有人能简单地指出我可能出错的地方,我可以自己解决。

修复

为了解决这个问题,我必须在 index.php 文件的开头添加一些 php 行,然后启用所有内容。

<?php
    header('Strict-Transport-Security: max-age=31536000; includeSubDomains; preload');
    header('Content-Security-Policy: upgrade-insecure-requests');
    header('X-XSS-Protection: 1; mode=block');
    header('X-Content-Type-Options: nosniff');
    header('x-frame-options: SAMEORIGIN');
?>

解决方法

暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!

如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。

小编邮箱:dio#foxmail.com (将#修改为@)

大佬总结

以上是大佬教程为你收集整理的htaccess 标头仅添加到非 www 子域而不是 www 子域,为什么全部内容,希望文章能够帮你解决htaccess 标头仅添加到非 www 子域而不是 www 子域,为什么所遇到的程序开发问题。

如果觉得大佬教程网站内容还不错,欢迎将大佬教程推荐给程序员好友。

本图文内容来源于网友网络收集整理提供,作为学习参考使用,版权属于原作者。
如您有任何意见或建议可联系处理。小编QQ:384754419,请注明来意。
标签:htaccesswww为什么子域
猜你在找的程序问答相关文章
其他相关热搜词更多
phpJavaPython程序员load如何string使用参数jquery开发安装listlinuxiosandroid工具javascriptcap