Closed noisyneighbor closed 5 years ago
konklone
commented
5 years ago @noisyneighbor Can you share the website you're checking? This would make it easier to debug. You can email the URL to pulse@cio.gov if you're not comfortable posting it publicly, but I recommend just posting it publicly to make discussion easier.
noisyneighbor
commented
5 years ago try citgo.cdc.gov or webmail.cdc.gov
Thanks
--- Eric Mill notifications@github.com wrote:
@noisyneighbor Can you share the website you're checking? This would make it easier to debug. You can email the URL to pulse@cio.gov if you're not comfortable posting it publicly, but I recommend just posting it publicly to make discussion easier.
-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: https://github.com/18F/pulse/issues/800#issuecomment-430336803
konklone
commented
5 years ago @noisyneighbor it looks like you are missing the HSTS header on the root:
$ curl --head https://webmail.cdc.gov
HTTP/1.0 302 Found
Location: https://webmail.cdc.gov/owa/
Server: BigIP
Connection: Keep-Alive
Content-Length: 0If you're seeing something different, it might be because you're scanning from inside the firewall and have different DNS for internal services?
Right now, Pulse (and DHS) look for the HSTS header at the root, rather than at a redirect destination. If you can get the HSTS header onto the root, that would resolve this.
Pulse can't follow a 302 redirect if full url is not in the location field. For example if I issue the following command: curl -s -D-.gov the result is:
HTTP/1.1 301 Moved Permanently
Location: https://< my site>.gov/
Strict-Transport-Security: max-age=31536000; includeSubDomains
if I issue this command: curl -s -D- https://< my site >.gov the result is this: HTTP/1.1 302 Object Moved Location: /vpn/index.html