htaccess 标头仅添加到非 www 子域而不是 www 子域,为什么

编程问答 2022-05-26

问题描述

我正在尝试通过文档根目录中的 htaccess 文件用户提供的内容添加和编辑标题。我尝试添加或编辑的标题包括但不限于;

  1. HTTP 严格传输安全
  2. 内容安全策略
  3. XSS 过滤
  4. 内容类型选项
  5. 框架选项
  6. X-Powered-By

为了实现这一点,我尝试在 Web 开发文档和在线论坛的指导下编写以下 htaccess 条目;

RewriteEngine On
RewriteBase /

<IfModule mod_headers.c>

    # Use HTTP Strict Transport Security to force client to use secure connections only
    #Header always set Strict-Transport-Security "max-age=10886400; includeSubDomains; preload" env=HTTPS

    <if "%{HTTPS} == 'on'">
        Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    </if>

    #Treat insecure URLs as though they have been replaced with secure URLs 
    Header always set Content-Security-Policy: upgrade-insecure-requests;

    #Enables XSS filtering. Rather than sanitizing the page,the browser will prevent rendering of the page.
    Header always set X-XSS-Protection "1; mode=block"

    #A marker used by the server to indicate the MIME types advertised in the Content-Type headers should not be changed & be followed
    Header always set X-Content-Type-Options: nosniff

    #The page can only be displayed in a frame on the same origin as the page itself. 
    Header always append x-frame-options SAMEORIGIN

    #Change the PHP Powered By Header
    Header always unset X-Powered-By
    Header always set X-Powered-By " "

    Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=strict

</IfModule>

##############################################
# FORCE PORT 443 & WWW                       #
##############################################

RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]

#Force 443 no 80
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]

#Force WWW
RewriteCond %{HTTP_HOST} !=""
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{HTTPS}s ^on(s)|
RewriteRule ^ http%1://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

检查我的标头响应后,我注意到我的标头仅在非 www 子域上实现;

$curl --head https://example.com
HTTP/2 301
content-type: text/html; charset=iso-8859-1
location: https://www.example.com/
date: Tue,09 Feb 2021 23:45:08 GMT
server: Apache
content-security-policy: upgrade-insecure-requests;
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-powered-by: 
strict-transport-security: max-age=63072000; includeSubDomains; preload

而不是在带有 https 的 www 子域上;

$curl --head https://www.example.com
HTTP/2 200
content-type: text/html; charset=UTF-8
date: Wed,10 Feb 2021 00:08:59 GMT
server: Apache
x-powered-by: PHP/8.0.1
expires: Thu,19 Nov 1981 08:52:00 GMT
cache-control: no-store,no-cache,must-revalidate
pragma: no-cache
set-cookie: PHPSESSID=3911aia9i7ai13iia40ia666i9aiai33; path=/

在www子域http请求中添加headers;

curl --head http://www.example.com
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive
Keep-Alive: timeout=15
Date: Wed,10 Feb 2021 00:49:15 GMT
Server: Apache
Content-Security-Policy: upgrade-insecure-requests;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
x-frame-options: SAMEORIGIN
X-Powered-By: 
Location: https://www.example.com/

和非 www http 域;

$curl --head http://example.com
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive
Keep-Alive: timeout=15
Date: Wed,10 Feb 2021 00:49:28 GMT
Server: Apache
Content-Security-Policy: upgrade-insecure-requests;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
x-frame-options: SAMEORIGIN
X-Powered-By: 
Location: https://example.com/

谁能指出为什么会发生这种情况,我相信这与我强制使用 HTTPS 和 WWW 的方式有关,但我不能 100% 确定。为了弄清楚出了什么问题,我简化了工作原理;

##############################################
# FORCE PORT 443                             #
##############################################

# HTTP to HTTPS redirect
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,NE]

##############################################
# FORCE WWW                                  #
##############################################

# Canonical www redirect
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule (.*) https://www.%{HTTP_HOST}/$1 [R,L]

##############################################
# HTTP STRICT TRANSPORT Security             #
##############################################

<IfModule mod_headers.c>
    # Use HTTP Strict Transport Security to force client to use secure connections only
    <if "%{HTTPS} == 'on'">
        Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    </if>
</IfModule>

如果有人能简单地指出我可能出错的地方,我可以自己解决

修复

为了解决这个问题,我必须在 index.PHP 文件的开头添加一些 PHP 行,然后启用所有内容

<?PHP
    header('Strict-Transport-Security: max-age=31536000; includeSubDomains; preload');
    header('Content-Security-Policy: upgrade-insecure-requests');
    header('X-XSS-Protection: 1; mode=block');
    header('X-Content-Type-Options: nosniff');
    header('x-frame-options: SAMEORIGIN');
?>

解决方法

暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!

如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。

小编邮箱:dio#foxmail.com (将#修改为@)

.htaccesshttp-headersmod-rewriteno-wwwsubdomain

相关问答

Selenium Web驱动程序和Java元素在(x,y)点处不可单击其他元素将获得点击?
Selenium Web驱动程序和Java。元素在(x,y)点处不可单击。其...
Python-如何使用点“” 访问字典成员?
Python-如何使用点“。” 访问字典成员?
Java 字符串是不可变的到底是什么意思?
Java 字符串是不可变的。到底是什么意思?
Java中的“ final”关键字如何工作?我仍然可以修改对象
Java中的“ final”关键字如何工作?(我仍然可以修改对象。...
“loop:”在Java代码中这是什么,为什么要编译?
“loop:”在Java代码中。这是什么,为什么要编译?
java.lang.ClassNotFoundException:sun.jdbc.odbc.JdbcOdbcDriver发生异常为什么?
java.lang.ClassNotFoundException:sun.jdbc.odbc.JdbcOdbc...