konklone
commented
7 years ago Well, edpubs.ed.gov doesn't use HTTPS: https://edpubs.ed.gov (bad hostname error)
And edpubs.gov's HSTS status doesn't affect the status of edpubs.ed.gov, which is on a different parent domain (ed.gov).
Though as a note, even if they were on the same parent domain, the CSV would still show the scanned status for that subdomain, regardless of its parent domain's HSTS/preloading status. As a courtesy and incentive to preload, and in recognition of OMB's guidance that preloading is sufficient for M-15-13 compliance, we don't display subdomain data on the Pulse HTML table for preloaded domains. But we still scan all subdomains and provide that data in raw form via CSV.
In this case, the principal issue is that edpubs.ed.gov is a separate zone from edpubs.gov. Let me know if that doesn't clear things up, happy to reopen!
Per the 'download subdomain data for this agency' for the ED.gov domain, the edpubs.ed.gov domain shows as No for Uses HTTPS and therefore doesn't check Enforces and HSTS.
However, the associated EDPUBS.gov does indicate HSTS is strictly enforced throughout the zone!
Is there something on our end or the scanning tool to resolve?