0

I set the HSTS header on my site and i want to test that the different browsers (chrome, Firefox, IE, Opera) do enforce the header.

I set a trusted certificate, connect to the site and I can see the the header at the HTTP response. but i want to validate that the browser do enforce the protocol.

In Chrome it's easy and it works: - I can query the site at chrome://net-internals/#hsts - When trying to connect with HTTP i get 0kb response with status 307. - If i change back self-signed cert i can't connect the site and there is no proceed option.

The other browsers behave differently, i can't query the HSTS list, the response status and size is different and when changing to self-signed cert (after first trusted connection) i do have proceed option.

So how can i validate that the protocol is enforced on each browser?

IdolAdmin
  • 61
  • 1
  • 5

1 Answers1

2

Although Chrome's ability to query the HSTS cache and see the fake 307 redirect is handy, you can just check whether HSTS is enforce.

HSTS offers you two options:

  1. Automatically load HTTP resources over HTTPS
  2. Prevent click through of cert errors.

You are concentrating on the second option, but why not use the first option as the test? Just load the site up with the HTTP and check whether it is redirected (i.e. loads HTTP URL and so is not using a HSTS rule) or if it just loads HTTPS URL immediately (i.e. is using HSTS).

So in Firefox for example open network tools click on "Persist logs" option (and let's do "Disable Cache" to avoid any confusion). Then go to a site which has an HSTS header over HTTP (e.g. http://stackoverflow.com) and you'll see a 301 redirect if this is your first visit:

enter image description here

Next time you go to it (after it has cached the HSTS header) it should go directly to the HTTPS URL even though you typed the HTTP URL in address bat:

enter image description here

If you've already been on stackoverflow.com then you can clear the HSTS cache to try this again.

Once you've confirmed that HSTS is being used or not, you can then investigate the click-through issue. Browsers should not allow click through when HSTS is in place, including for self-signed certs, but maybe there's a bug, or it's still cached your old cert in some places, or the HSTS policy has expired or something else...

Barry Pollard
  • 40,655
  • 7
  • 76
  • 92
  • I looked at the HTTP headers too, the problem is how do you distinguish if the 301\302\307 response status came from the server or the browser? with chrome the header size is 0KB with other browsers it is not the same. I'm testing this with multiple servers and browsers and sometimes I get different behaviors. now, after i'm connecting with trusted cert and replace to a self-signed cert or removing my CA that i added i still can "proceed" to the site (with IE), a time before it was ok and blocked me (yes i saw that the cert change was recognized by the browser) – IdolAdmin Feb 22 '18 at 15:07
  • 1
    301 and 302 comes from server (though can be cached). 307 comes from browser. – Barry Pollard Feb 22 '18 at 16:30