網管通知外部公司掃描檢查發現 "HSTS Missing From HTTPS Server漏洞",更詳細的說明"The remote HTTPS server is not enforcing HTTP Strict Transport Security (HSTS). HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections.".
在網上找到解決方法是在web.config中加如下配置:
<system.webServer> <….其它配置..> <rewrite> <rules> <rule name="HTTP to HTTPS redirect" stopProcessing="true"> <match url="(.*)" /> <conditions> <add input="{HTTPS}" pattern="off" ignoreCase="true" /> </conditions> <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" /> </rule> </rules> <outboundRules> <rule name="Add Strict-Transport-Security when HTTPS" enabled="true"> <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" /> <conditions> <add input="{HTTPS}" pattern="on" ignoreCase="true" /> </conditions> <action type="Rewrite" value="max-age=31536000" /> </rule> </outboundRules> </rewrite> </system.webServer>
然而發現更嚴重問題,網站都無法進入了,只能將這部分添加的進行刪除.
再在網上搜資料,發現有人說要求安裝 URL Rewrite,從微軟找到下載網址之後進行安裝
https://www.iis.net/downloads/microsoft/url-rewrite#additionalDownloads
再將上面的修改加上,就能正常工作了.