Narlotl
commented
3 days ago The HSTS score is based on the present of the Strict-Transport-Security header at http://iowa.gov, which isn't there. Although iowa.gov redirects to the HTTPS site, HSTS does it automatically, meaning the user never has to request over HTTP.
Current headers:
$ curl --head http://iowa.gov
HTTP/1.1 301 Moved Permanently
Content-Length: 0
Retry-After: 0
Server: Pantheon
Location: https://www.iowa.gov/
X-Pantheon-Redirect: primary-domain-policy-doc
X-Served-By: cache-dfw-kdfw8210141-DFW
X-Cache-Hits: 0
X-Timer: S1729738138.842301,VS0,VE6
Accept-Ranges: bytes
Date: Thu, 24 Oct 2024 02:48:57 GMT
Connection: keep-alive
Server-Timing: ak_p; desc="1729738137705_399532102_1286642063_16005_7732_103_0_-";dur=1```
Domain: iowa.gov
The security report mentions that http:// domain doesn't redirect to https, when in fact it does, it can be validated by visiting http://www.iowa.gov/