Questions tagged [hsts]

HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites.

HTTP Strict Transport Security (HSTS) defined in RFC 6797 is a mechanism enabling web sites to declare themselves accessible only via secure connections and/or for users to be able to direct their user agent(s) to interact with given sites only over secure connections. This overall policy is referred to as HTTP Strict Transport Security (HSTS). The policy is declared by web sites via the Strict-Transport-Security HTTP response header field and/or by other means, such as user agent configuration, for example.

58 questions
49
votes
9 answers

Is there any reason not to enforce HTTPS on a website?

A website I frequent have finally decided to enable TLS to their servers, only not to mandate it as a lot of websites out there do. The maintainer claims that TLS must be optional. Why? On my own website I have long set up mandated TLS and HSTS with…
Maxthon Chan
  • 649
  • 1
  • 8
  • 12
14
votes
5 answers

HSTS on Amazon CloudFront from S3 origin

Is it possible to set HSTS headers on an Amazon CloudFront distribution from a S3 origin?
chrisvdb
  • 1,199
  • 2
  • 10
  • 15
13
votes
3 answers

Adding HSTS to nginx config

I recently changed my nginx config to redirect all http traffic to https (and all www traffic to no-www). Would it make sense to also add add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; to my server blocks as well?…
Hassan Baig
  • 2,033
  • 11
  • 27
  • 47
11
votes
3 answers

hsts on main port 80, not on other ports

I have set hsts for my domain on the site http://server.mydom.tld:80, so the brower goes to port https://server.mydom.tld on port 443 However, I also have other webservers, running on other ports. So when I go to http://server.mydom.tld:8888 it gets…
Lenne
  • 917
  • 1
  • 12
  • 30
10
votes
1 answer

Apache 2.4 - Disable HSTS Header

I've set up a Vagrant box with Ubuntu 18.04 and installed Apache 2.4.29. I've created and enabled a new conf file that looks like this: ServerName django.dev ServerAlias www.django.dev ServerAdmin webmaster@localhost …
simon
  • 211
  • 2
  • 5
9
votes
1 answer

HSTS and double redirect

I manage a little website in a shared hosting LAMP environment: this basically means the only thing I can edit is an htaccess file. I wanted to add HSTS support (and I did it), but, when I tested my website here for HSTS preload eligibility, I got…
user487101
7
votes
3 answers

How does HSTS handle mixed content?

I've just checked with the SSL Server Test if I implemented the SSL certificate on my server correctly. I got a grade A in their ranking but you can get an A+ if you have activated HSTS. After some seaching I found out that Google might treat HSTS…
6
votes
1 answer

My browser will not display http://[sub.]example.com

When I go to http://sub.example.com in my browser I get a "connection refused" message or an "invalid certificate" error but I don't even want to connect over https. As far as I know: The web server is configured correctly for sub.example.com TCP…
Bob
  • 5,335
  • 5
  • 24
5
votes
1 answer

HSTS header not being sent though rule is present and mod_headers is enabled

We enabled HSTS in httpd.conf in the Virtual Host handling port 443. We tried with and without the : Header set Strict-Transport-Security "max-age=10886400; includeSubDomains" But the…
user549516
4
votes
1 answer

Mikrotik - redirecting YouTube to a local friendly page

I'm configuring a rb750. I would like to drop YouTube access and redirect to a friendly page located in our local webserver. I can drop using l7 firewall but I'm not able to redirect user because https. Specifically you tube uses some kind of…
JefersonLemos
  • 41
  • 1
  • 2
3
votes
3 answers

How can I enable HSTS on the default Google Load Balancer coming with Google Container Engine?

I'd love to set up HSTS with my GKE cluster, as right now HTTP requests return a Google broken robot 404 page after setting this up in ingress.yml annotations: kubernetes.io/ingress.allow-http: "false" Apparently there are options for this in…
3
votes
0 answers

Enabling HSTS header on AWS Application Load Balancer

We have a Spring Boot application behind an AWS Application Load Balancer. The load balancer terminates SSL before forwarding coming requests to our application and also redirects 80 port to 443 port. We want to enable strict-transport-security…
2
votes
1 answer

nginx 1.15.10 - TLSv1.3 doesn't get applied despite the config

nginx -V nginx version: nginx/1.15.10 built by gcc 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) built with OpenSSL 1.1.0j 20 Nov 2018 (running with OpenSSL 1.1.1b 26 Feb 2019) TLS SNI support enabled configure arguments: --prefix=/etc/nginx…
user493649
2
votes
2 answers

Enable HTTP Strict Transport Header globally in HAProxy

I want to enable HTTP Strict Transport Security (HSTS) Headers globally for all my backends in HAProxy v1.5. Following the instructions from https://www.haproxy.com/blog/haproxy-and-http-strict-transport-security-hsts-header-in-http-redirects/ I…
kenlukas
  • 2,886
  • 2
  • 14
  • 25
2
votes
1 answer

Cloudflare: HSTS (Strict-Transport-Security) for subdomain only

I would like Cloudflare to send the HSTS header on the main domain, and on the www subdomain, but not the other subdomains. However I can only enable HSTS for the primary domain (and add includesubdomains, which I can't use because I don't want HSTS…
user643011
  • 129
  • 1
  • 10
1
2 3 4