HSTS doesn't work on browser when dealing with a self-signed certificate

Question

We have a web portal and I need to add HSTS header in the response. Ours is an on-premise solution, so we use a self-signed certificate. I have added the hsts header in the response & I need to check whether it really works.

I understand that for HSTS to work, there shouldn't be any certificate issues & first we need to access https://somesite.com then in the next pass http request will be automatically redirected to https at client side itself.

So, I installed our self-signed certificate in the Chrome browser & restarted the browser. Now my connection to our web application was secure. But HSTS doesn't seem to work. In the successive calls to http://somesite.com, still we redirect (302) to https (automatic client-side redirection to https doesn't happen). One thing to note here is, there is no domain name associated with our web application, we access it with our server's ip within our company's internal network.

Any idea how to get HSTS working? or is it like HSTS works only if there is a domain name for the site?

Can you provide more info about _"automatic client-side redirection to https doesn't happen"_ what error are you seeing? — Mike Ounsworth, Aug 09 '18 at 16:16
I am not seeing any errors, it's just that the redirection doesn't happen. — Abhishek Sharma M, Aug 09 '18 at 16:25

mootmoot · Accepted Answer · 2018-08-09T16:21:18.690

5

Actually, this is already answered in stackoverflow : RFC 6797 Appendix A : HSTS doesn't work for IP address.

You need to setup local DNS server to deal with it.

edited Aug 09 '18 at 16:21

answered Aug 09 '18 at 16:16

mootmoot

2,387
10
16

Bittersweet defeat.. I was afraid of this. This isn't ideal for a travelling dev laptop. Works fine on office WIFI with DNSMASQ but not anywheree else. Looks like local DNSMASQ. I foresee quite a few frustrations about this.. – BoeroBoy Feb 12 '19 at 12:45
3

Correction, I found the whitelist easter egg workaround on another thread: You can type 'thisisunsafe" anywhere on the Google Chrome warning page and it will load it without warning. No joke. – BoeroBoy Feb 12 '19 at 13:21

score 1 · Answer 2 · edited Sep 12 '22 at 12:53

1

Watch out with public TLD's in combination with locally-hosted sites and self-signed certs.

For example mysite.dev with a self-signed certificate was causing a HSTS error in all my browsers (Chrome, Edge and Firefox). When I switched to a non-public TLD, for example mysite.localdev it worked like a charm.

edited Sep 12 '22 at 12:53

schroeder

123,438
55
284
319

answered Sep 12 '22 at 12:50

JonasVH

11
1

HSTS doesn't work on browser when dealing with a self-signed certificate

2 Answers2