Moodle VS. HTTPS and Enable HSTS

This article will demonstrate steps of enabling the HTTP Strict Transport Security (HSTS) policy for your Moodle.

本文將展示 Moodle 實現 https 的步驟,直到強制 HSTS。

You will also learn what HSTS is and the importance of enabling the HSTS policy. Enabling HSTS policy is one of the safety measures that Click-AP recommend after deploying the SSL Certificate, and forcing HTTPS redirection. In order to implement HSTS policy, you need to add a serials rule in your Moodle site.

您也可以從本文知道 HSTS 及我們建議如何佈署 HTTPS 憑證,以及 HTTP 暫時及永久轉向到 HTTPS 。


我們先開始談 HTTPS 架設, 再來談 HTTP 轉HTTPS(因為老師及同學的瀏覽可能有舊的瀏覽記錄是舊的 HTTP 的)

先給結果:你會看到 Moodle 用 302 幫你轉向到 HTTPS 。

302 to 301

前面的作法 會回應 302 並轉址, 但 302 是暫時轉址(302 Found 為 Moved Temporarily), 在你測試 Moodle 走 https 後, 正式讓 HTTPS 上線後, 會想要讓瀏覽器切到 301 Move Permanently


Using this feature, all users are automatically routed to the secure version of your site. Chalk one up for the good guys!

使用 HTTPS 讓你的 Moodle 持續加分。

但還不夠,如果你有看到上圖中,從使用者開始連線使用 HTTP 網址,到伺服器回應 302/301 轉向到 HTTPS 的網址; 你就會知道它是兩條連線,有經驗的網管就會知道風險,這裡就是問題了,在轉址發生前會有空檔可能會被攻擊。

因此,我們必須設計一個完全沒有 HTTP 的連線。

This mechanism is called HTTP Strict Transport Security (HSTS) and is described in the specification RFC 6797. The spec defines a new response header called Strict-Transport-Security, which tells browsers that the website should be accessed only over HTTPS


What is HTTP Strict Transport Security (HSTS)?

HTTP Strict Transport Security (HSTS) is a web security policy and web server directive launched by Google in July 2016. It is a method used by websites that set regulations for user agents and a web

browser on how to handle its connection using the response header sent at the very beginning and back to the browser. (also see: Broadening HSTS to secure more of the Web)

This sets the Strict Transport Security policy field parameter. This forces the website to load on HTTPS protocol and disregards any script calling to load any of your website content over HTTP protocol.

HSTS 是網站安全的原則及網站伺服器指令,由 Google 在 2016年7月提出(連結);是一個瀏覽器與網站間處理連線/通訊的方法;使用回應表頭(Response Header) 在每次連線一開始/回傳時。

HSTS 強制 Moodle 使用 HTTPS 通訊協定,並且忽略Moodle 內沒有使用 HTTPS 引用的內容。

最後一張為 HSTS 上線後的畫面。