Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [hsts]

HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites.

HTTP Strict Transport Security (HSTS) defined in RFC 6797 is a mechanism enabling web sites to declare themselves accessible only via secure connections and/or for users to be able to direct their user agent(s) to interact with given sites only over secure connections. This overall policy is referred to as HTTP Strict Transport Security (HSTS). The policy is declared by web sites via the Strict-Transport-Security HTTP response header field and/or by other means, such as user agent configuration, for example.

57 questions
1
vote
1 answer

Why must a HSTS header not be sent on HTTP

Why must a HSTS header not be sent on HTTP? What would it hurt; clients could take it as a hint to redirect to https.
Lenne
  • 987
  • 1
  • 13
  • 32
1
vote
2 answers

Disable HSTS and HPKP

We have a domain with HSTS and HPKP enabled and working. For a few reasons, we would like to disable it, not immediately, but as soon as key expires. This means that the site would remain accessible through HTTPS, as it is now, but without the HSTS…
TheMadCat
  • 35
  • 3
1
vote
1 answer

Securing Apache Solr on an Apache TLS / SSL server

I have a SSL-only website hosted on a CentOS 7, Apache httpd based server. SSL certification is via a Let's Encrypt certificate. The domain has a HTTP Strict Transport Security (HSTS) policy. I am also running Apache Solr (indexing; search) as a…
Victoria Stuart
  • 111
  • 4
1
vote
0 answers

IIS Version 1607 on Windows Server 2016 -- How to Add HTTP Strict Transport Security (HSTS) Support

Our servers are running Windows Server 2016 with IIS 1607. From what I can tell, this means the IIS 10 on the system is prior-to version 1709 where apparently Microsoft added the HSTS element under the SITES element which allows an easier mechanism…
Dan7el
  • 133
  • 9
1
vote
1 answer

Nginx web server on VPS over HTTP - hsts

So I have been trying to serve a simple static web page over HTTP using Nginx 1.14.0 (Ubuntu). I am able to: curl the web page using both domain name and IP-address and find the web page in browser using IP-address. But I can't load the web page in…
Adam
  • 21
  • 4
0
votes
0 answers

IMG loaded from HSTS domain on non-HTTPS site breaks site

Would HSTS cause an entire site (browser) to redirect to its HTTPS counterpart if a single (or more) resource from an HSTS domain was inserted into a HTTP site - e.g. through an 'img' tag? We have http://subdomain.example.com loading an image from…
Kinnectus
  • 260
  • 1
  • 11
0
votes
1 answer

SSLLabs: Strict Transport Security (HSTS): Server provided more than one HSTS header

CentOS 6.8 Apache 2.2 I have two websites running off this server (moodle and mahara). For some reason, the ssllabs tests come back fine for one of them (moodle) but for the mahara website, I get this warning: Strict Transport Security (HSTS) …
CMR
  • 133
  • 1
  • 2
  • 10
0
votes
1 answer

Nginx - HSTS and Redirect non-www to www

I am checking the HSTS header here: https://hstspreload.org/ This is my non-www conf server { listen 443 server_name example.com; return 301 https://www.$server_name$request_uri; ##SSL add_header Strict-Transport-Security…
Arsh Dhillon
  • 3
  • 1
  • 2
0
votes
1 answer

how to disable HSTS in haproxy

I have a haproxy-ssl-terminated (haproxy 1.5.8 2014/10/31, debian jessie stock) test website, where the certificate expired. I'd like to be able to use the site while the new certificate arrives, but chrome and firefox tell me I have HSTS enabled. I…
P.Péter
  • 569
  • 2
  • 6
  • 24
0
votes
0 answers

Force redirect to url with captive portal or dnsmasq

We are trying to host a static webpage (just one index.php) on a local wifi network without internet access. Essentially every user (mobile devices) should land on some landing page where he can upload some files to our server. We have tried two…
rex123
  • 101
  • 1
0
votes
2 answers

Mitigating HSTS Bypass

Friends, Is there any way to prevent HSTS bypass on Apache/RHEL environment. I have a webserver with valid SSL certificate for the domain. Non HTTPS requests are being redirected to HTTPS. Necessary headers including Content Security Policy, Strict…
Sam
  • 11
  • 1
0
votes
1 answer

HSTS with canonical URL redirect in nginx

I was using the nginx configuration taken from this post to implement redirect from http://(www.)example.com -> https://example.com: server { server_name www.example.com example.com; return 301 https://example.com$request_uri; } server { …
Heuriskos
  • 168
  • 7
0
votes
3 answers

Ideally, how should HSTS / SSL Everywhere / Let's encrypt work with captive Wifi portals?

Some captive Wifi portals require the ability to 301/302 redirect a user to an authentication / terms of service page before permitting access to the Internet. This is at odds with SSL, which can't be cleanly intercepted by the typical coffee shop…
makerofthings7
  • 8,911
  • 34
  • 121
  • 197
0
votes
2 answers

HSTS secured domain migration

I bought a domain from a stranger and it seems like he protected the domain with HSTS-preloading. Is HSTS bound to the specific certificate which was used when HSTS was activated or can I just create a new cert for the domain and activate HSTS again…
rockZ
  • 115
  • 1
  • 5
0
votes
1 answer

Configure Apache to send HSTS header only in virtual hosts using HTTPS

We have an Apache 2.4 server that runs numerous virtual hosts, some of which use http and some of which use https. I would like to send the same HSTS (Strict-Transport-Security) header only in those virtual hosts that use https. I realize I could…
user35042
  • 2,681
  • 12
  • 34
  • 60
1 2
3
4