Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [hsts]

HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites.

HTTP Strict Transport Security (HSTS) defined in RFC 6797 is a mechanism enabling web sites to declare themselves accessible only via secure connections and/or for users to be able to direct their user agent(s) to interact with given sites only over secure connections. This overall policy is referred to as HTTP Strict Transport Security (HSTS). The policy is declared by web sites via the Strict-Transport-Security HTTP response header field and/or by other means, such as user agent configuration, for example.

58 questions
2
votes
0 answers

How to configure HSTS in Wildfly the proper way?

I want to set the HSTS header on Wildfly. I haven't found any specific method to do this, so my first approach would be setting it manually via an undertow filter:
Demento
  • 121
  • 1
  • 4
2
votes
2 answers

Ignore HSTS in browser for a subdomain

[copied from https://stackoverflow.com/questions/39937837/] I've got my DNS set up to point local.example.com to 127.0.0.1. This is so that I can share cookies between the live site and my dev environment. With HSTS activated on the live site, my…
EoghanM
  • 540
  • 2
  • 6
  • 15
2
votes
1 answer

HSTS and Wordpress redirection to www and non-www and https - avoid multiple redirections?

I am trying to implement the HSTS (HTTP Strict Transport Security) on my Wordpress site, but I am not getting any success. First I had managed to redirect my site from non-www to www , and including https:// , but I got the message on…
mlclm
  • 169
  • 5
2
votes
1 answer

How can I apply HSTS header to all vhosts over 443 in Apache

I'm looking to add the HSTS header in Apache... # HSTS / Header Strict Transport Security Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" ... but I have a long list of vhosts for different but related…
oucil
  • 445
  • 3
  • 16
1
vote
1 answer

How can I allow http when on a specific subdomain with nginx? (HSTS)

I am trying to test my site on a stage site before making it live. Obviously it doesn't have the same certificate. When I try to going in with the testing.domain.com subdomain, I get this error in…
stackers
  • 277
  • 1
  • 3
  • 13
1
vote
1 answer

HTTP redirect (301, 302) with HSTS/.dev domain

I own a .dev domain, which is included on the HSTS preload list. The domain is registered with Namecheap. Now, when trying to set up redirects (301,302) from my www. to non-www, this is apparently causing problems. Services like…
Thomas Kainrad
  • 111
  • 3
1
vote
2 answers

nginx fails to send HSTS headers despite being configured to do so

I'm setting up a site for myself using nginx and letsencrypt, and I wanted to set up HSTS preloading for the added security benefits, however when I check the url with multiple different scanners, HSTS headers are not sent. Here's the relevant block…
pyr0ball
  • 13
  • 5
1
vote
1 answer

HSTS issues when redirecting to www. sub domain

I am trying to setup HSTS for my website but running into some problems regarding HSTS and the use of the www. sub domain. What I would like is for all HTTP and HTTPS traffic to redirect to https://www.example.co.uk. I have been using the…
Ross Hodgman
  • 31
  • 1
  • 2
1
vote
1 answer

Nginx redirect to www

I have the same configuration on all my blocks yet only this one redirects to www while all my other redirects to non www. I think it may have to do something with the hsts that I've recently added but am not sure, because like I said the other…
i6x86
  • 111
  • 3
1
vote
2 answers

HSTS: Is includeSubDomains on main domain sufficient?

In my Plesk web admin edition I just activated HSTS on my main domain www.domain.tld with add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; The test on ssllabs.com says that everything works fine. The problem is my…
Sr. Schneider
  • 185
  • 6
1
vote
1 answer

Apache: HSTS redirection on non-standard HTTP port causes SSL error

I've read a few answers on SF, and I'm no closer to a solution. My problem seems a little specific... Customers were accessing a webserver on port 81. With the general trend towards HTTPS, the service was upgraded and installed on standard port 443.…
Philip
  • 630
  • 5
  • 8
  • 18
1
vote
1 answer

How to configure HSTS redirect prerequisites using CloudFront?

The HSTS Preload List Submission website has very specific prerequisites which disallow combining protocol changes and redirects into one step (classic example - redirecting requests for http://example.com directly to https://www.example.com fails…
Tom Brossman
  • 301
  • 3
  • 12
1
vote
0 answers

Using HSTS with Sub Domain Forwarding

Scanning a website using https://observatory.mozilla.org gives me the following error: Initial redirection from http to https is to a different host, preventing HSTS. Question Is this a genuine issue with my setup, or a bug in the tool where it's…
JohnLBevan
  • 1,134
  • 7
  • 20
  • 44
1
vote
1 answer

Using CNAME records to redirect to HTTPS when HSTS is active

We have a website running in HTTPS on the following URL: abc.example.com. The problem is that our client thought that any website URL should start with www and has printed www.abc.example.com on all its labels... No problem, I simply created a…
Zeep
  • 107
  • 2
  • 6
1
vote
2 answers

hsts apache 2.4 not triggering?

I've set up Apache to use HSTS as follows just for testing and learning purposes only: /etc/apache2/sites-enabled/000-default.conf NameVirtualHost 192.168.3.55:80 NameVirtualHost 192.168.3.55:443 ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog…
jouell
  • 601
  • 1
  • 5
  • 20
1
2
3 4