Closed dalf closed 4 years ago
searx.hlfh.space
use unixfox/antibot-proxy which forbids any request method apart from GET and POST but it's probably due to a misconfiguration of antibot-proxy from the owner (I don't own searx.hlfh.space) because it shouldn't return a 500 error but a 403 one and it shouldn't block anything on the main page if configured properly.
Cryptcheck use a HEAD request method for checking the HSTS header so that's why it can't detect the HSTS header: https://github.com/aeris/cryptcheck/blob/master/lib/cryptcheck/tls/https/server.rb#L18.
One way to fix that is to serve the HSTS from the proxy (NGINX or Caddy) instead of serving it from Searx.
CryptCheck use HEAD
request in compliance with RFC 2616 §9.4 to not be fooled by a server sending a very huge/endless stream in the body.
At the moment, your host doesn't present HSTS header on such request, but only on GET request:
$ curl -vi https://searx.hlfh.space |& rg "^strict|> .* HTTP/2"
> GET / HTTP/2
< HTTP/2 200
strict-transport-security: max-age=31536000; includeSubDomains; preload
$ curl -vIi https://searx.hlfh.space |& rg "^strict|> .* HTTP/2"
> HEAD / HTTP/2
< HTTP/2 500
You need to use the always
flag of add_header
under nginx or Header
under apache to have HSTS regardless the response code. By default, the HSTS is send only on 200 response code, which can be a weakness (302 Location not protected).
Responding differently (not same response code nor same headers) for GET and HEAD is not RFC 2616 compliant.
Thank you for the quick answer and the link to the RFC.
I have triple check these lines: https://github.com/aeris/cryptcheck/blob/4e0e7e086bbfb79a1a1bf21d967125ed5b8e287c/lib/cryptcheck/tls/https/server.rb#L26-L33
but I missed HTTParty.head
.
@dalf @unixfox @aeris Thank you all for your help. Everything works with cryptcheck
, searx
, searx-checker
, antibot-proxy
with the right conf. I also added the always
flag of add_header
under nginx
which fixes the main issue.
HSTS is not detected on this host.
The header
Strict-Transport-Security
has the valuemax-age=31536000; includeSubDomains; preload
according to curl, Firefox ( also detected by hstspreload.org).