HSTS preload test fails on subdomains?

[mejofi]

Version: 1.2.1

If my understanding of the spec isn't deserting me, the preload statement in the HSTS header is only relevant for requests to the apex, such as https://hsts.example/, and not for subdomains, since subdomains cannot be preloaded. This means that, for something like https://subdomain.hsts.example/, the following should pass;

strict-transport-security: max-age=63072000

as long as hsts.example has the proper header set, like this;

strict-transport-security: max-age=63072000; includeSubDomains; preload

This probably goes for the includeSubDomains test as well?

Example: ipv4.ur.nl currently fails those two tests;

[FAIL] HSTS Header should have includeSubdomains (max-age=63072000)
[FAIL] HSTS Header should have preload (max-age=63072000)

Oh, and minor niggle; example.com is a second-level domain, not first level 😄

https://en.wikipedia.org/wiki/Second-level_domain

Example:

Domain: ipv4.ur.nl, Domain (no path): ipv4.ur.nl, First Level Domain: ur.nl

[sesh]

Oh, and minor niggle; example.com is a second-level domain, not first level 😄

🤦‍♂️

FYI: that term came from the tld library that I'm using.

---

These checks were not really designed with subdomains in mind. Working with subdomains while keeping the tool dependency free is tricky. Plus the number of requests this tool makes is increasing and always in the back of my mind.

• preload I agree should only be present on the second-level domain, and I will update the check to reflect that soon (just need to think about how to determine if it's a second-level domain or not)
• includeSubdomains I believe can exist on subdomains (to indicate that subdomains of that subdomain require HTTPS) but that also means that we should check all parent domains for the header before marking this as a failure.

I'll work on both of these at some point soon.

[mejofi]

You can use the publicsuffix2 module for this;

https://pypi.org/project/publicsuffix2/

This uses the Public Suffix List maintained by Mozilla, and allows you to distinguish between, say, example.com and example.co.uk with just a few lines of code.

Also incorporates usage with domains where subdomains are individual users, such as 'github.io' and the like, so for some subdomains it may require an extra logic that I have not had to deal with before 🤔

[sesh]

I forgot to write this up yesterday, but this is done and should be working in v1.5.0.

The behaviour is documented on the release, but to put it here too:

• HSTS checks have been updated to behave better when testing a subdomain
  • Check the second-level domain when checking for preload (subdomains cannot be submitted)
  • If the includeSubdomains check fails it will attempt to check the second-level domain

Feel free to reopen this if it doesn't handle your use case properly.

[mejofi]

Nice, thanks! 🙂

[ OK ] HSTS Header should have includeSubDomains (max-age=63072000; includeSubDomains; preload (from apex domain))
[ OK ] HSTS Header should have preload and includeSubDomains (max-age=63072000; includeSubDomains; preload (from apex domain))