As glencarl mentioned in issue #42, the Expedited SSL scanner isn't picking up HSTS with v0.1.5 installed. This comes back to the Strict-Transport-Security flag not being sent in the header, as illustrated below.
I believe this warrants opening a separate issue as it clarifies that it's not an issue with Expedited SSL's scanner but is in fact an issue with HSTS itself.
v0.1.4
curl -D - https://myapp014.herokuapp.com | head -n 20
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
1HTTP/1.1 200 OK 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
Connection: keep-alive
Server: gunicorn/19.4.5
Date: Thu, 21 Apr 2016 14:07:37 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 8622
Strict-Transport-Security: max-age=31536000
Via: 1.1 vegur
v0.1.5
curl -D - https://myapp015.herokuapp.com | head -n 20
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
10HTTP/1.1 200 OK 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
Connection: keep-alive
Server: gunicorn/19.4.5
Date: Thu, 21 Apr 2016 14:09:16 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 8622
Via: 1.1 vegur
As glencarl mentioned in issue #42, the Expedited SSL scanner isn't picking up HSTS with v0.1.5 installed. This comes back to the
Strict-Transport-Securityflag not being sent in the header, as illustrated below.I believe this warrants opening a separate issue as it clarifies that it's not an issue with Expedited SSL's scanner but is in fact an issue with HSTS itself.
v0.1.4
v0.1.5