Hi.
I'm trying to setup HSTS (HTTP Strict Transport Security) but I'm having some issues.
This is what I believe the requirements are:
Here's a link to the draft: https://tools.ietf.org/html/rfc6797
Here's the header I send over HTTPS (port 443) connections only:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Here's the message scanmyserver gives me every time they scan my server:
If you look carefully, it shows the port number as 443, which isn't an unencrypted channel. So, this is a bit cryptic to me as to what I'm doing wrong. I'm thinking it has something to do with the unencrypted traffic on port 80. I use mod_rewrite to check if someone is connecting via port 80, and then I do a 307 redirect to the secure version of my site.
After reading the requirements, I'm wondering if this is wrong. Should I be sending the HSTS header over port 80 because of the redirect I'm using?
I contacted scanmyserver and there response wasn't too help to me. Maybe you guys could make some sense out of it:
This confuses me though, because the draft says:
Redirect from HTTP to HTTPS on the same host.
and
Serve an HSTS header on the base domain for HTTPS requests:
I'm redirecting, which sounds good. But am I actually supposed to send the HSTS header through non-encrypted channels, aka, port 80?
I send the header for my domain, plus all DNS records / sub-domains that I have. For example, mydomain.com, www.mydomain.com, webmail.mydomain.com, whm.mydomain.com, etc
Any thoughts?
Thanks!
I'm trying to setup HSTS (HTTP Strict Transport Security) but I'm having some issues.
This is what I believe the requirements are:
Code:
Serve a valid certificate. Redirect from HTTP to HTTPS on the same host. Serve all subdomains over HTTPS. In particular, you must support HTTPS for the www subdomain if a DNS record for that subdomain exists. Serve an HSTS header on the base domain for HTTPS requests: The max-age must be at least eighteen weeks (10886400 seconds). The includeSubDomains directive must be specified. The preload directive must be specified. If you are serving an additional redirect from your HTTPS site, that redirect must still have the HSTS header (rather than the page it redirects to).
Here's the header I send over HTTPS (port 443) connections only:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Here's the message scanmyserver gives me every time they scan my server:
Code:
2. Non-compliant Strict Transport Security (STS) (Low)back Port: https (443/tcp) Summary: The remote web server implements Strict Transport Security. However, it does not respect all the requirements of the STS draft standard. The Strict-Transport-Security header must not be sent over an unencrypted channel. More information: http://lists.w3.org/Archives/Public/www-archive/2009Sep/att-0051/draft-hodges-strict-transport-sec-05.plain.html Test ID: 12059
After reading the requirements, I'm wondering if this is wrong. Should I be sending the HSTS header over port 80 because of the redirect I'm using?
I contacted scanmyserver and there response wasn't too help to me. Maybe you guys could make some sense out of it:
Code:
Hi Spork, We can see it is redirect to https but best solution says to use Strict Transport Security (STS).
Redirect from HTTP to HTTPS on the same host.
and
Serve an HSTS header on the base domain for HTTPS requests:
I'm redirecting, which sounds good. But am I actually supposed to send the HSTS header through non-encrypted channels, aka, port 80?
I send the header for my domain, plus all DNS records / sub-domains that I have. For example, mydomain.com, www.mydomain.com, webmail.mydomain.com, whm.mydomain.com, etc
Any thoughts?
Thanks!