`Strict-Transport-Security` header detected incorrectly

chromium / hstspreload.org

:lock: Chromium's HSTS preload list submission website.

https://hstspreload.org

BSD 3-Clause "New" or "Revised" License

773 stars 89 forks source link

`Strict-Transport-Security` header detected incorrectly #256

Closed Big-Cake-jpg closed 6 months ago

Big-Cake-jpg commented 6 months ago

Domain lihaoyu.cn has Strict-Transport-Security: max-age=31536000;includeSubDomains;preload header, but hstspreload.org said that this domain doesn't have any HSTS header.

Meanwhile, www.lihaoyu.cn is normal.

lgarron commented 6 months ago

but hstspreload.org said that this domain doesn't have any HSTS header.

Checking the response for https://lihaoyu.cn in Chrome DevTools and cURL/HTTPie, that looks correct. The site needs to resume sending the header to stay preloaded.

nharper commented 6 months ago

I concur with @lgarron's assessment. This appears to be a configuration issue with the website, not an issue with hstspreload.org. One possible explanation for why lgarron, hstspreload.org, and I don't see the HSTS header is that it's possible that the website only sends the HSTS header under some conditions.