Java 使用 Spring Boot 应用程序启用 HTTP 严格传输安全 (HSTS)
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/50511702/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Enable HTTP Strict Transport Security (HSTS) with spring boot application
提问by kk.
I have followed the article https://docs.spring.io/spring-security/site/docs/4.0.2.RELEASE/reference/html/headers.html#headers-hststo enable HSTS header on my spring boot application. Despite of making the required changes, Strict-Transport-Securityheader is not appearing the response.
我已经按照文章https://docs.spring.io/spring-security/site/docs/4.0.2.RELEASE/reference/html/headers.html#headers-hsts在我的 Spring Boot 应用程序上启用 HSTS 标头。尽管进行了所需的更改,Strict-Transport-Security但响应中并未出现标头。
pom.xml (dependencies)
pom.xml(依赖项)
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
</dependency>
</dependencies>
WebSecurityConfig.java
网络安全配置文件
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.headers()
.httpStrictTransportSecurity()
.includeSubDomains(true)
.maxAgeInSeconds(31536000);
}
}
List of headers:
标题列表:
cache-control →no-cache, no-store, max-age=0, must-revalidate
content-language →en-GB
content-type →text/html;charset=UTF-8
date →Thu, 24 May 2018 14:10:29 GMT
expires →0
pragma →no-cache
transfer-encoding →chunked
x-application-context →application:9000
x-content-type-options →nosniff
x-frame-options →SAMEORIGIN
x-xss-protection →1; mode=block
Am I missing anything?
我错过了什么吗?
采纳答案by David Bala?ic
In accordance with RFC6797, the HSTS header is only injected into HTTPS responses.
根据 RFC6797,HSTS 标头仅注入到 HTTPS 响应中。
Source: https://docs.spring.io/spring-security/site/docs/4.0.2.RELEASE/reference/htmlsingle/#headers-hsts
来源:https: //docs.spring.io/spring-security/site/docs/4.0.2.RELEASE/reference/htmlsingle/#headers-hsts
回答by Pri1me
It will only appear after the first request via HTTPS.
它只会在通过 HTTPS 的第一个请求之后出现。
