HSTS (HTTP Strict Transport Security) โ brauzer'ga 'Bu sayt har doim HTTPS' deydi. HTTP versiyaga kirish urinishlari avtomatik HTTPS'ga yo'naltiriladi.
Nima uchun kerak?
301 redirect HTTP โ HTTPS yetarli emas. Foydalanuvchi http://sayt.uz yozsa โ brauzer HTTP versiyaga ulanadi (man-in-the-middle hujum mumkin), keyin HTTPS'ga o'tadi. HSTS โ bunday ulanishni butunlay oldini oladi.
Server javobi (HTTP header)
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Parametrlar
max-age โ sekundlarda muddat. 31536000 = 1 yil. Brauzer shu davomida har doim HTTPS ishlatadi.
includeSubDomains โ subdomainlar uchun ham.
preload โ HSTS Preload List'ga qo'shilgan (eng kuchli).
HSTS Preload List
hstspreload.org โ Google ro'yxati. Sayt qo'shilgach Chrome, Firefox, Safari, Edge โ barcha brauzerlar HTTPS-only deb biladi. Birinchi tashrifda ham.
Apache
Header always set Strict-Transport-Security 'max-age=31536000; includeSubDomains'
Nginx
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains' always;
Sayt.uz
Cabinet โ SSL โ HSTS โ yoqib qo'yish. Yoki .htaccess'ga qo'shish.
Diqqat
HSTS yoqilganidan keyin HTTP versiyaga qaytish murakkab. Brauzer cache'da saqlanadi. Test muhitda diqqat bilan ishlating.
Test
SSL Labs SSL Test โ HSTS yoqilganmi ko'rsatadi. securityheaders.com โ har header tahlil.