0

I want to pass all tests for HSTS Preload.

I currently have 2 errors, that I need to solve:

First:

`http://example.com` (HTTP) should immediately redirect to
`https://example.com` (HTTPS) before adding the www subdomain. 
Right now, the first redirect is to `https://www.example.com/`.

My htaccess looks like this:

RewriteEngine On
RewriteCond %{HTTP_HOST} ^example.com$ [NC]
RewriteRule ^(.*)$ https://example.com/$1 [R=301,L]
RewriteRule ^(.*)$ https://%{HTTP_HOST}/ [R=302,L]

Second:

Response error: No HSTS header is present on the response.

My htaccess looks like this:

<ifModule mod_headers.c>
    Header add Strict-Transport-Security "max-age=84600; includeSubDomains"
</IfModule>

What am I missing and how can I pass the tests?

I use this test site; https://hstspreload.appspot.com/

JGeer
  • 1,768
  • 1
  • 31
  • 75
  • The site you linked contains information about what the header should look like... – PeeHaa Aug 10 '16 at 18:59
  • 1
    Also look up how to set up your redirects in apache. Which has been answered at least 1000 times here on SO. – PeeHaa Aug 10 '16 at 19:01

2 Answers2

2

This is the correct one:

RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

<ifModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"   
</ifModule>
fabrizio.rocca
  • 99
  • 1
  • 2
  • 11
  • Thanks! I tried that, but that does not redirect the url http://domain.com/page to https://www.domain.com/page. How can I solve that? – JGeer Aug 21 '16 at 11:01
0

You can try this to pass the test. 

RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L,E=HTTPS:1]
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
Yuda Prawira
  • 12,075
  • 10
  • 46
  • 54