RFC 6797 - HTTP Strict Transport Security (HTTP严格传输安全, HSTS)
互联网工程任务组 (IETF)
请求评论: 6797
类别: 标准跟踪
ISSN: 2070-1721
作者:
J. Hodges (PayPal)
C. Jackson (Carnegie Mellon University)
A. Barth (Google, Inc.)
发布日期: 2012年11月
摘要 (Abstract)
本规范定义了一种机制,使网站能够声明自己只能通过安全连接访问,和/或使用户能够指示其用户代理 (user agent) 仅通过安全连接与给定站点交互。这个整体策略称为HTTP严格传输安全 (HTTP Strict Transport Security, HSTS)。该策略由网站通过Strict-Transport-Security HTTP响应头字段和/或其他方式 (例如,用户代理配置) 声明。
本备忘录的状态 (Status of This Memo)
这是一份互联网标准跟踪文档。
本文档是互联网工程任务组 (IETF) 的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导组 (IESG) 批准发布。有关互联网标准的更多信息,请参见RFC 5741的第2节。
有关本文档当前状态、任何勘误表以及如何提供反馈的信息,可访问:
http://www.rfc-editor.org/info/rfc6797
版权声明 (Copyright Notice)
Copyright (c) 2012 IETF Trust及文档作者。保留所有权利。
本文档受BCP 78和IETF Trust关于IETF文档的法律规定 (http://trustee.ietf.org/license-info) 的约束,这些规定在本文档发布之日有效。请仔细阅读这些文档,因为它们描述了您对本文档的权利和限制。
目录 (Table of Contents)
- 1. Introduction (简介)
- 1.1 Organization of This Specification
- 1.2 Document Conventions
- 2. Overview (概述)
- 2.1 Use Cases
- 2.2 HTTP Strict Transport Security Policy Effects
- 2.3 Threat Model
- 2.4 Requirements
- 3. Conformance Criteria (一致性标准)
- 4. Terminology (术语表)
- 5. HSTS Mechanism Overview (HSTS机制概述)
- 5.1 HSTS Host Declaration
- 5.2 HSTS Policy
- 5.3 HSTS Policy Storage and Maintenance by User Agents
- 5.4 User Agent HSTS Policy Enforcement
- 6. Syntax (语法)
- 6.1 Strict-Transport-Security HTTP Response Header Field
- 6.2 Examples
- 7. Server Processing Model (服务器处理模型)
- 7.1 HTTP-over-Secure-Transport Request Type
- 7.2 HTTP Request Type
- 8. User Agent Processing Model (用户代理处理模型)
- 8.1 Strict-Transport-Security Response Header Field Processing
- 8.2 Known HSTS Host Domain Name Matching
- 8.3 URI Loading and Port Mapping
- 8.4 Errors in Secure Transport Establishment
- 8.5 HTTP-Equiv <Meta> Element Attribute
- 8.6 Missing Strict-Transport-Security Response Header Field
- 9. Constructing an Effective Request URI (构造有效请求URI)
- 9.1 ERU Fundamental Definitions
- 9.2 Determining the Effective Request URI
- 10. Domain Name IDNA-Canonicalization (域名IDNA规范化)
- 11. Server Implementation and Deployment Advice (服务器实施和部署建议)
- 11.1 Non-Conformant User Agent Considerations
- 11.2 HSTS Policy Expiration Time Considerations
- 11.3 Using HSTS in Conjunction with Self-Signed Public-Key Certificates
- 11.4 Implications of includeSubDomains
- 12. User Agent Implementation Advice (用户代理实施建议)
- 12.1 No User Recourse
- 12.2 User-Declared HSTS Policy
- 12.3 HSTS Pre-Loaded List
- 12.4 Disallow Mixed Security Context Loads
- 12.5 HSTS Policy Deletion
- 13. Internationalized Domain Names for Applications (IDNA): Dependency and Migration (国际化域名: 依赖性和迁移)
- 14. Security Considerations (安全考虑)
- 14.1 Underlying Secure Transport Considerations
- 14.2 Non-Conformant User Agent Implications
- 14.3 Ramifications of HSTS Policy Establishment Only over Error-Free Secure Transport
- 14.4 The Need for includeSubDomains
- 14.5 Denial of Service
- 14.6 Bootstrap MITM Vulnerability
- 14.7 Network Time Attacks
- 14.8 Bogus Root CA Certificate Phish plus DNS Cache Poisoning Attack
- 14.9 Creative Manipulation of HSTS Policy Store
- 14.10 Internationalized Domain Names
- 15. IANA Considerations (IANA考虑)
- 16. References (参考文献)
- 16.1 Normative References
- 16.2 Informative References
附录 (Appendices)
- Appendix A. Design Decision Notes (设计决策说明)
- Appendix B. Differences between HSTS Policy and Same-Origin Policy (HSTS策略与同源策略的差异)
- Appendix C. Acknowledgments (致谢)
相关资源
- 官方原文: RFC 6797
- 官方页面: RFC 6797 DataTracker
- 勘误表: RFC Editor Errata
- HSTS预加载列表: hstspreload.org
快速参考
HSTS的核心价值
HSTS通过强制HTTPS连接,解决了以下关键Web安全问题:
- SSL Stripping攻击: 攻击者将HTTPS链接替换为HTTP
- 中间人攻击: 拦截和修改未加密流量
- 会话劫持: 窃取通过HTTP传输的cookie
- 混合内容问题: HTTPS页面加载HTTP资源
基本用法
服务器配置示例 (Nginx):
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
浏览器行为:
用户访问: http://example.com
浏览器自动转换: https://example.com
证书错误: 直接阻止,不允许继续
部署建议
- 测试阶段:
max-age=300(5分钟) - 初期部署:
max-age=86400(1天) - 稳定运行:
max-age=31536000(1年) - 加入预加载列表:
max-age=63072000; includeSubDomains; preload
注意事项
⚠️ 重要警告:
- 设置HSTS后很难快速撤销
- 使用
includeSubDomains前确保所有子域支持HTTPS - 不要在HTTP响应中发送HSTS头(会被剥离)
- 避免在开发环境使用长期max-age值
本RFC是现代Web安全的基石之一,已被所有主流浏览器支持。正确部署HSTS可以显著提升网站的安全性。