0

We have added HSTS policy at Akamai level (domain). When we Intercept the request using burp we dont see HSTS policy is getting added in response, in case we hit site with http.

But with https we able to see the HSTS policy.

Issue is to fix this on http also. Can any expert provide some solution around it from the knowledge one has?

Thanks,

Vivek Dhiman
  • 101
  • 3
    HSTS header MUST NOT be used in HTTP response; as already auto-suggested by Stack see https://security.stackexchange.com/questions/84714/why-does-rfc6797-say-an-hsts-host-must-not-include-the-sts-header-field-in-http and also consider https://security.stackexchange.com/questions/103507/hsts-on-sites-available-over-http-and-https – dave_thompson_085 Aug 05 '22 at 01:31
  • 3
    Does this answer your question? [Why does rfc6797 say "An HSTS Host MUST NOT include the STS header field in HTTP responses over non-secure transport."](https://security.stackexchange.com/questions/84714/why-does-rfc6797-say-an-hsts-host-must-not-include-the-sts-header-field-in-http), [HSTS on sites available over HTTP and HTTPS](https://security.stackexchange.com/questions/103507/hsts-on-sites-available-over-http-and-https). – Steffen Ullrich Aug 05 '22 at 02:36

2 Answers2

0

Maybe because Burp is intercepting the response and removing it.

Use Wireshark to investigate, you can make your browser export the SSL key used for the session and have Wireshark load the key, so you can decrypt the response.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
0

The HSTS header MUST not be added to HTTP responses, as explained here.

Since you are asking about HSTS in HTTP responses, I assume that you actually want that HTTP requests are upgraded to HTTPS automatically.

This could be achieved by using a HTTPS redirect. For example, the following setting for .htaccess files would cause such redirect:

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.<yourdomain>.com/$1 [R,L]
Wouter
  • 397
  • 1
  • 12