1

Scanning a website using https://observatory.mozilla.org gives me the following error: Initial redirection from http to https is to a different host, preventing HSTS.

Question

  • Is this a genuine issue with my setup, or a bug in the tool where it's not seeing the subdomain as being part of the same domain?
  • Can anyone advise what I may be missing based on the additional info below?

Detail

This site's domain is registered with Google Domains. To ensure anyone accessing the site via example.com is automatically redirected to www.example.com I've set up sub domain forwarding with the following rule:

example.com → https://www.example.com 
Permanent redirect (301), Forward path

Additionally I have rules in the (asp.net) site's web.config to redirect any HTTP connections to HTTPS, and to add the Strict-Transport-Security HTTP header (when presented via HTTPS only, per the famous Scott Hanselman blog's advice):

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="HTTP to HTTPS redirect" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
                </rule>
            </rules>
            <outboundRules>
                <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
                    <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
                    <conditions>
                        <add input="{HTTPS}" pattern="on" ignoreCase="true" />
                    </conditions>
                    <action type="Rewrite" value="max-age=63072000; includeSubDomains; preload" />
                </rule>
            </outboundRules>
        </rewrite>
        <httpProtocol>
            <customHeaders>
                <remove name="X-Powered-By" />
                <!-- add name="Strict-Transport-Security" value="max-age=63072000; includeSubDomains; preload" / -->
                <add name="Content-Security-Policy" value="default-src 'self';" />
                <add name="X-Content-Type-Options" value="nosniff" />
                <add name="X-Frame-Options" value="DENY" />
                <add name="X-Xss-Protection" value="1; mode=block" />
            </customHeaders>
        </httpProtocol>
    </system.webServer>
</configuration>

The site itself is hosted in Azure (under my Visual Studio Subscription free credits). The site's URL here is example.azurewebsites.net, and in Google Domains I have a CName pointing www at example.azurewebsites.net (under custom resource records).

Community
  • 1
JohnLBevan
  • 1,134
  • 7
  • 20
  • 44
  • 1
    You're supposed to redirect first to `https://example.com/` then again to `https://www.example.com/`. – Michael Hampton Mar 09 '18 at 22:01
  • Ah, thanks @MichaelHampton... I'll try to figure out how to achieve that (i.e. currently I have to do the www redirect first to make use of the CName to load the site from Azure...) – JohnLBevan Mar 09 '18 at 22:06
  • Resolved by removing the CNAME and setting up A records for root and www, then amending my redirect rules. Thanks @MichaelHampton for the hint. – JohnLBevan Mar 09 '18 at 22:34
  • Here are the [HSTS preload Submission Requirements](https://hstspreload.org/). – Colt Mar 09 '18 at 22:47
  • Thanks @Colt; the issue I had was I technically met all requirements; but because the redirect occurred in DNS there was no way to access the root domain; rather you were instantly redirected to the www subdomain. Had the root been accessible it would have served up the correct header (as well as the redirect) and all would have worked. – JohnLBevan Mar 10 '18 at 08:18

0 Answers0