2

I have configured Apache to return HSTS header. When connecting to https://lab20.example.com from Google Chrome and running with developer tools I can see the following response header: Strict-Transport-Security:max-age=63072000; includeSubdomains;

But it does not work. When I try to access the http://lab20.example.com, Chrome allows that.

Also when running from chrome: chrome://net-internals/#hsts Query domain "lab20.example.com" I receive "Response Not found".

Could anyone explain why this happens?

mt025
  • 3,506
user2913139
  • 131

4 Answers4

9

For others who are seeing a similar issue - it may be because your browser has not yet accessed the site over HTTPS. Try accessing it over HTTPS and then again over HTTP. If HSTS is correctly implemented, then that last request should fail. MDN explains it nicely:

Note: The Strict-Transport-Security header is ignored by the browser when your site is accessed using HTTP; this is because an attacker may intercept HTTP connections and inject the header or remove it. When your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS capable and will honor the Strict-Transport-Security header.

sfarbota
  • 241
1

Hsts does not work on a domain with invalid certificate.

Sounds reasonable, as it makes no sense to force https with a certificate that is not valid.

Jarekczek
  • 230
0

Did you configure your site config so that Apache forces SSL on all subdomains, not just example.com and www.example.com?

Also I believe that the chrome://net-internals/#hsts only shows correct queries from sites that are preloaded and added via https://hstspreload.appspot.com/ . This explains why chrome://net-internals/#hsts doesn't work for you.

0x1771
  • 1
0

This might be because your PC has NO-SSL enabled or forced. If you can't disable NO-SSL, then your PC might not support disabling of NO-SSL.

RailroadHill
  • 1