HSTS headers not sent over HTTPS

[fuzzball1980]

Hi guys! why the Strict-Transport-Security header is not sent over HTTPS? I believe the specification says it should be sent to allow the browser to convert any non https link to https automatically.

Tks!

[skinkie]

Can you refer to the documentation where it states that it should do that, and maybe also that Cherokee current doesn't?

[skinkie]

@fuzzball1980 this is what my Cherokee machine serves:

Date: Mon, 09 Apr 2018 16:51:21 GMT
ETag: "52053aee=703"
Server: Cherokee/1.2.104 (UNIX)
Strict-Transport-Security: max-age=0

[fuzzball1980]

This is what I get when browsing on HTTP

Connection: close Content-Length: 376 Content-Type: text/html Date: Mon, 09 Apr 2018 18:01:25 GMT Location: https://revistas.movistar.com.ec/ Server: Cherokee/1.2.101 (Ubuntu) Strict-Transport-Security: max-age=0; includeSubdomains

**STS Header is present

Then on the redirect the server response is

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Content-Encoding: gzip Content-Length: 5610 Content-Type: text/html Date: Mon, 09 Apr 2018 18:00:11 GMT Expires: Thu, 19 Nov 1981 08:52:00 GMT Pragma: no-cache Vary: Accept-Encoding X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block

**No STS header present after switching to HTTPS

The doc im refering is the RFC6797

https://tools.ietf.org/html/rfc6797#page-6

The paragraph...

2.2. HTTP Strict Transport Security Policy Effects

The effects of the HSTS Policy, as applied by a conformant UA in interactions with a web resource host wielding such policy (known as an HSTS Host), are summarized as follows:

1. UAs transform insecure URI references to an HSTS Host into secure URI references before dereferencing them.

2. The UA terminates any secure transport connection attempts upon any and all secure transport errors or warnings.

If the header is not present on https connections the UAs won't transform the non secure URI on the page into a secure one. I know the server will still respond with an HTTP 301 to the secure URI but if there is a man in the middle attack the user will be exposed.

[skinkie]

Try http://konink.de/

[fuzzball1980]

oh!! I don't know what could be wrong on my config I just enabled HSTS

Do you know of any a bug on Cherokee/1.2.101 related to HSTS?

Thank you!!

[skinkie]

I don't know, but given that 1.2.104 has been available for ages, I would say upgrading is the best remedy.

[fuzzball1980]

ok, I will let u know if the problem solves with the update

thx

[fuzzball1980]

I have upgraded to 1.2.2 but Im still not gettting the STS header over https

HTTP/1.1 200 OK Date: Tue, 10 Apr 2018 04:27:59 GMT Server: Cherokee/1.2.2b6397 (UNIX) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 5593 Content-Type: text/html X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff

By the way Im seeing something really strange, I wanted to disable HTST so I went to handler security tab and unchecked Access Restrictions/Only https

But Im still getting the redirects to https and more strange is that im still seeing the old version of cherokee on the Server Header:

HTTP/1.1 301 Moved Permanently Date: Wed, 21 Feb 2018 21:00:42 GMT Server: Cherokee/1.2.101 (Ubuntu) Location: https://domain***/ Content-Length: 376 Content-Type: text/html

Any idea? is it possible that the 301 redirects keep showing an old cherokee version? Im totally sure I have uninstalled the old cherokee and of course it is imposibe for both version to be listening on the same ports

[fuzzball1980]

sorry! seems like the browser cache the hsts flag for the domain my bad

[fuzzball1980]

Just to let you know that I made it works with Cherokee/1.2.2b6397 checking the "Only http" but adding a NOT SSL/TLS rule and adding the Strict-Transport-Security manually there.

Im a little confused already but seems like the HSTS feature works differently in this version because I just get an HTTP 426 Upgrade Required had to add the redirect rule and im prety sure I didnt put that rule on the previous version (1.2.101)

Anyway using that rule we can manage the header to add the STS on redirects (https://github.com/cherokee/webserver/issues/1204)

But still I had to add the STS header manually on all the responses at the Http Reverse proxy handler because the "Only Http" flag doesn't add it by default on https connections