Open shaunwarman opened 4 years ago
lgarron
commented
4 years ago The header has to be sent on the response to / itself, even if there's a redirect to the same origin.
Depending on your server software, there may be a separate settings to do this for redirects. For example, in Apache you have to use the always keyword for this:
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" env=HTTPS
niftylettuce
commented
4 years ago thanks @lgarron, @shaunwarman you can close this
@lgarron it might be good to make a note in the landing page that "if you 302 redirect to i18n landing pages like /en, note that your 302 redirect needs the HSTS header present" - not sure if many others have this but would be good to dummy-proof (since other sites follow their redirects on HSTS tests, and hstspreload.org does not).
nharper
commented
4 years ago I think mentioning i18n is a bit too specific. The Deployment Recommendations mentions adding the Strict-Transport-Security header to all HTTPS responses. Would it help to clarify that by adding "including redirects"?
niftylettuce
commented
4 years ago that'd be great
Trying https://fowardemail.net there is a 302 redirect to
https://forwardemail.net/<locale>(e.g. https://forwardemail.net/en) where hsts header is presenthstspreload.org responds with
Error: No HSTS header Response error: No HSTS header is present on the response.Does the missing hsts header on the initial response and 302 redirect to where hsts header is present cause the issue?
I can see http -> https redirect via 301.
Using competitors like https://gf.dev/hsts-test says things are good.