4

我网站上的某些页面(身份验证、支付)必须通过 HTTPS 提供。

当客户端通过 HTTP 访问这样的页面时,我想将其重定向到 HTTPS 版本。

目前,我正在使用带有指向相同 URL301 Moved Permanently的标头的代码,并将方案修改为 HTTPS。Location

我想知道:是否有使用错误协议的特定 HTTP 响应代码?

类似于405 Method not allowedHTTP 动词的东西。

4

3 回答 3

2

Not as such, no — the 301 permanent redirect is exactly the right choice here.

However, there is such a thing as HTTP Strict Transport Security (HSTS), which allows you, once you've told the browser to use HTTPS using the 301 redirect, to also tell it never to use the unencrypted HTTP protocol again on your site. The way you do this is by including a header like shown below in the HTTPS response (not in the redirect, which is sent over plain HTTP):

Strict-Transport-Security: max-age=31536000; includeSubDomains

For more details, see the Wikipedia article linked above and RFC 6797.

于 2013-10-09T22:21:03.050 回答
0

据此 403.4 似乎是您想要的(在 IIS 中),但我不相信 HTTP 标准中有等效项。

于 2013-10-09T22:16:35.203 回答
0

响应 301 对于登录页面等似乎是合理的(不需要传输凭据来加载页面)。否则,当发送个人详细信息时,明智的做法是说未找到 (401),因为有人在恶作剧。检查引荐来源网址并定期检查日志文件也是明智之举。

(人们确实会复制网站并伪装成您的网站,只是在此过程中转发流量并收集个人详细信息:-()

于 2013-10-09T22:25:42.237 回答