如何自動將網站的 http:// 網址轉址為 https://
弱點掃瞄
弱點: Site does not enforce HTTPS
The site responds to HTTP requests without ultimately redirecting the browser to a secure version of the page. Since the site allows plaintext traffic, a man-in-the-middle attacker is able to read and modify any information passed between the site and the user. There are a variety of situations in which an attacker can intercept plaintext traffic in a man-in-the-middle position, including but not limited to:
- Open Wi-Fi Hotspots
- WPA/WPA2 encrypted hot-spots where the attacker connected before the victim
- Malicious Wi-Fi access points
- Compromised switches and routers
- ARP poisoning on the same wired network
It's important to remember that in many of the above situations, an attacker can not only read traffic, but also actively modify the traffic. Even if a site that does not contain sensitive information, an attacker can still inject malicious content to a user’s browser.
- Severity: High
- Risk: Site does not enforce the use of HTTPS encryption, leaving the user vulnerable to man-in-the-middle attackers (who can falsify data and inject malicious code).
- Recommendation: Any site served to a user (possibly at the end of a redirect chain) should be served over HTTPS.
解決方法
說明
如果網站沒有強制使用 https 加密,可能會因 DNS 劫持,或其它網路環境的安全因素,而遭受中間人攻擊或旁觀者攻擊! 所以網站應該要申請 SSL 憑證,並強制將所有的網頁通過 https 加密傳輸資料。
執行步驟
1. 自行申請 SSL 憑證。
2. 於網站的根目錄建立一個 .htaccess 檔案,檔案內容:
RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
No comments yet.