在 HTTPS 承载的页面上不允许出现 http 请求,一旦出现就是提示或报错
因此即使使用到的域名对http请求已经强制了https,但是在页面中浏览器对于http请求压根就不会发送,那么就必需替换页面上所有的http为https
于是从http协议入手,在响应header中添加upgrade-insecure-requests,即在php入口文件中添加:
```header("Content-Security-Policy: upgrade-insecure-requests");```或着也可以在由前端在html页面中添加meta:
```<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests" />```或者在nginx配置中进行header的添加:
```server { listen 443; server_name www.example.com; error_log /logs/nginx/error.log; root /var/www/www.example.com; index index.php index.html index.htm; ssl on; ssl_certificate cert/test/test.pem; ssl_certificate_key cert/test/test.key; ssl_session_timeout 5m; #添加响应头 add_header Content-Security-Policy "upgrade-insecure-requests'"; location / { if (!-f $request_filename){ rewrite ^/(.*)$ /index.php?s=$1 last; break; } limit_except GET POST DELETE PUT { deny all; } } …… }```从而让浏览器对页面中的所有http请求,都升级为https协议发送请求,从而省去了逐一修改url的协议的麻烦。
