Moodle VS. HTTPS and Enable HSTS

HTTP VS. HTTPS

我們先開始談 HTTPS 架設, 再來談 HTTP 轉HTTPS(因為老師及同學的瀏覽可能有舊的瀏覽記錄是舊的 HTTP 的)

302 to 301

前面的作法 會回應 302 並轉址, 但 302 是暫時轉址(302 Found 為 Moved Temporarily), 在你測試 Moodle 走 https 後, 正式讓 HTTPS 上線後, 會想要讓瀏覽器切到 301 Move Permanently   

301

Using this feature, all users are automatically routed to the secure version of your site. Chalk one up for the good guys!

使用 HTTPS 讓你的 Moodle 持續加分。

但還不夠，如果你有看到上圖中，從使用者開始連線使用  HTTP 網址，到伺服器回應 302/301 轉向到 HTTPS 的網址； 你就會知道它是兩條連線，有經驗的網管就會知道風險，這裡就是問題了，在轉址發生前會有空檔可能會被攻擊。

因此，我們必須設計一個完全沒有 HTTP 的連線。

This mechanism is called HTTP Strict Transport Security (HSTS) and is described in the specification RFC 6797. The spec defines a new response header called Strict-Transport-Security, which tells browsers that the website should be accessed only over HTTPS

這個機制就是ＨＳＴＳ。

What is HTTP Strict Transport Security (HSTS)?

HTTP Strict Transport Security (HSTS) is a web security policy and web server directive launched by Google in July 2016. It is a method used by websites that set regulations for user agents and a web

browser on how to handle its connection using the response header sent at the very beginning and back to the browser. (also see: Broadening HSTS to secure more of the Web)

This sets the Strict Transport Security policy field parameter. This forces the website to load on HTTPS protocol and disregards any script calling to load any of your website content over HTTP protocol.

HSTS 是網站安全的原則及網站伺服器指令，由 Google 在 2016年7月提出(連結)；是一個瀏覽器與網站間處理連線/通訊的方法；使用回應表頭(Response Header) 在每次連線一開始/回傳時。

HSTS 強制 Moodle 使用 HTTPS 通訊協定，並且忽略Moodle 內沒有使用 HTTPS 引用的內容。