问题描述
我正在尝试通过文档根目录中的 htaccess 文件为用户提供的内容添加和编辑标题。我尝试添加或编辑的标题包括但不限于;
为了实现这一点,我尝试在 Web 开发文档和在线论坛的指导下编写以下 htaccess 条目;
RewriteEngine On
RewriteBase /
<IfModule mod_headers.c>
# Use HTTP Strict Transport Security to force client to use secure connections only
#Header always set Strict-Transport-Security "max-age=10886400; includeSubDomains; preload" env=HTTPS
<if "%{HTTPS} == 'on'">
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
</if>
#Treat insecure URLs as though they have been replaced with secure URLs
Header always set Content-Security-Policy: upgrade-insecure-requests;
#Enables XSS filtering. Rather than sanitizing the page,the browser will prevent rendering of the page.
Header always set X-XSS-Protection "1; mode=block"
#A marker used by the server to indicate the MIME types advertised in the Content-Type headers should not be changed & be followed
Header always set X-Content-Type-Options: nosniff
#The page can only be displayed in a frame on the same origin as the page itself.
Header always append x-frame-options SAMEORIGIN
#Change the PHP Powered By Header
Header always unset X-Powered-By
Header always set X-Powered-By " "
Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=strict
</IfModule>
##############################################
# FORCE PORT 443 & WWW #
##############################################
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]
#Force 443 no 80
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]
#Force WWW
RewriteCond %{HTTP_HOST} !=""
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{HTTPS}s ^on(s)|
RewriteRule ^ http%1://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
检查我的标头响应后,我注意到我的标头仅在非 www 子域上实现;
$curl --head https://example.com
HTTP/2 301
content-type: text/html; charset=iso-8859-1
location: https://www.example.com/
date: Tue,09 Feb 2021 23:45:08 GMT
server: Apache
content-security-policy: upgrade-insecure-requests;
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-powered-by:
strict-transport-security: max-age=63072000; includeSubDomains; preload
而不是在带有 https 的 www 子域上;
$curl --head https://www.example.com
HTTP/2 200
content-type: text/html; charset=UTF-8
date: Wed,10 Feb 2021 00:08:59 GMT
server: Apache
x-powered-by: PHP/8.0.1
expires: Thu,19 Nov 1981 08:52:00 GMT
cache-control: no-store,no-cache,must-revalidate
pragma: no-cache
set-cookie: PHPSESSID=3911aia9i7ai13iia40ia666i9aiai33; path=/
在www子域http请求中添加headers;
curl --head http://www.example.com
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive
Keep-Alive: timeout=15
Date: Wed,10 Feb 2021 00:49:15 GMT
Server: Apache
Content-Security-Policy: upgrade-insecure-requests;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
x-frame-options: SAMEORIGIN
X-Powered-By:
Location: https://www.example.com/
和非 www http 域;
$curl --head http://example.com
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive
Keep-Alive: timeout=15
Date: Wed,10 Feb 2021 00:49:28 GMT
Server: Apache
Content-Security-Policy: upgrade-insecure-requests;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
x-frame-options: SAMEORIGIN
X-Powered-By:
Location: https://example.com/
谁能指出为什么会发生这种情况,我相信这与我强制使用 HTTPS 和 WWW 的方式有关,但我不能 100% 确定。为了弄清楚出了什么问题,我简化了工作原理;
##############################################
# FORCE PORT 443 #
##############################################
# HTTP to HTTPS redirect
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,NE]
##############################################
# FORCE WWW #
##############################################
# Canonical www redirect
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule (.*) https://www.%{HTTP_HOST}/$1 [R,L]
##############################################
# HTTP STRICT TRANSPORT Security #
##############################################
<IfModule mod_headers.c>
# Use HTTP Strict Transport Security to force client to use secure connections only
<if "%{HTTPS} == 'on'">
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
</if>
</IfModule>
如果有人能简单地指出我可能出错的地方,我可以自己解决。
修复
为了解决这个问题,我必须在 index.PHP 文件的开头添加一些 PHP 行,然后启用所有内容。
<?PHP
header('Strict-Transport-Security: max-age=31536000; includeSubDomains; preload');
header('Content-Security-Policy: upgrade-insecure-requests');
header('X-XSS-Protection: 1; mode=block');
header('X-Content-Type-Options: nosniff');
header('x-frame-options: SAMEORIGIN');
?>
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)