- Vixual - http://www.vixual.net/blog -

如何自動將網站的 http:// 網址轉址為 https://


弱點: Site does not enforce HTTPS

The site responds to HTTP requests without ultimately redirecting the browser to a secure version of the page. Since the site allows plaintext traffic, a man-in-the-middle attacker is able to read and modify any information passed between the site and the user. There are a variety of situations in which an attacker can intercept plaintext traffic in a man-in-the-middle position, including but not limited to:

  1. Open Wi-Fi Hotspots
  2. WPA/WPA2 encrypted hot-spots where the attacker connected before the victim
  3. Malicious Wi-Fi access points
  4. Compromised switches and routers
  5. ARP poisoning on the same wired network

It's important to remember that in many of the above situations, an attacker can not only read traffic, but also actively modify the traffic. Even if a site that does not contain sensitive information, an attacker can still inject malicious content to a user’s browser.



如果網站沒有強制使用 https 加密,可能會因 DNS 劫持,或其它網路環境的安全因素,而遭受中間人攻擊旁觀者攻擊! 所以網站應該要申請 SSL 憑證,並強制將所有的網頁通過 https 加密傳輸資料。


1. 自行申請 SSL 憑證。

2. 於網站的根目錄建立一個 .htaccess 檔案,檔案內容:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]