Nginx 下启用 HSTS
What is HSTS
HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections,[1] and never via the insecure HTTP protocol. HSTS is an IETF standards track protocol and is specified in RFC 6797.
The HSTS Policy is communicated by the server to the user agent via an HTTPS response header field named “Strict-Transport-Security”.[2] HSTS Policy specifies a period of time during which the user agent should only access the server in a secure fashion.[3]
以上来自于维基百科
大概意思是说 HSTS 是一个 web 安全策略装置,用于保护 web 站点免受协议降级攻击和 cookie 劫持。