We have a web portal and I need to add HSTS header in the response. Ours is an on-premise solution, so we use a self-signed certificate. I have added the hsts header in the response & I need to check whether it really works.
I understand that for HSTS to work, there shouldn't be any certificate issues & first we need to access https://somesite.com then in the next pass http request will be automatically redirected to https at client side itself.
So, I installed our self-signed certificate in the Chrome browser & restarted the browser. Now my connection to our web application was secure. But HSTS doesn't seem to work. In the successive calls to http://somesite.com, still we redirect (302) to https (automatic client-side redirection to https doesn't happen). One thing to note here is, there is no domain name associated with our web application, we access it with our server's ip within our company's internal network.
Any idea how to get HSTS working? or is it like HSTS works only if there is a domain name for the site?