When there is more than one HSTS header, this is not reflected

securityheaders / securityheaders-bugs

Bug tracker for https://securityheaders.io

20 stars 0 forks source link

When there is more than one HSTS header, this is not reflected #11

Closed hmallett closed 8 years ago

hmallett commented 8 years ago

If a site is misconfigured, and presenting more than one HSTS header, then securityheaders does not reflect this, and reports only one of the headers, with no indication that there are any more. For comparison, SSLLabs will highlight that the server provided more than one HSTS header.

ScottHelme commented 8 years ago

I've pushed a patch to the test site, can you try it out there?

https://test.securityheaders.io/

hmallett commented 8 years ago

My example now shows a warning for any duplicate headers, not just HSTS.