网管通知外部公司扫描检查发现 "HSTS Missing From HTTPS Server漏洞",更详细的说明"The remote HTTPS server is not enforcing HTTP Strict Transport Security (HSTS). HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections.".
在网上找到解决方法是在web.config中加如下配置:
<system.webServer> <….其它配置..> <rewrite> <rules> <rule name="HTTP to HTTPS redirect" stopProcessing="true"> <match url="(.*)" /> <conditions> <add input="{HTTPS}" pattern="off" ignoreCase="true" /> </conditions> <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" /> </rule> </rules> <outboundRules> <rule name="Add Strict-Transport-Security when HTTPS" enabled="true"> <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" /> <conditions> <add input="{HTTPS}" pattern="on" ignoreCase="true" /> </conditions> <action type="Rewrite" value="max-age=31536000" /> </rule> </outboundRules> </rewrite> </system.webServer>
然而发现更严重问题,网站都无法进入了,只能将这部分添加的进行删除.
再在网上搜资料,发现有人说要求安装 URL Rewrite,从微软找到下载网址之后进行安装
https://www.iis.net/downloads/microsoft/url-rewrite#additionalDownloads
再将上面的修改加上,就能正常工作了.