Closed noisyneighbor closed 5 years ago
@noisyneighbor Can you share the website you're checking? This would make it easier to debug. You can email the URL to pulse@cio.gov if you're not comfortable posting it publicly, but I recommend just posting it publicly to make discussion easier.
try citgo.cdc.gov or webmail.cdc.gov
Thanks
--- Eric Mill notifications@github.com wrote:
@noisyneighbor Can you share the website you're checking? This would make it easier to debug. You can email the URL to pulse@cio.gov if you're not comfortable posting it publicly, but I recommend just posting it publicly to make discussion easier.
-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: https://github.com/18F/pulse/issues/800#issuecomment-430336803
@noisyneighbor it looks like you are missing the HSTS header on the root:
$ curl --head https://webmail.cdc.gov
HTTP/1.0 302 Found
Location: https://webmail.cdc.gov/owa/
Server: BigIP
Connection: Keep-Alive
Content-Length: 0
If you're seeing something different, it might be because you're scanning from inside the firewall and have different DNS for internal services?
Right now, Pulse (and DHS) look for the HSTS header at the root, rather than at a redirect destination. If you can get the HSTS header onto the root, that would resolve this.
Pulse can't follow a 302 redirect if full url is not in the location field. For example if I issue the following command: curl -s -D-.gov the result is:
HTTP/1.1 301 Moved Permanently
Location: https://< my site>.gov/
Strict-Transport-Security: max-age=31536000; includeSubDomains
if I issue this command: curl -s -D- https://< my site >.gov the result is this: HTTP/1.1 302 Object Moved Location: /vpn/index.html