-1

In my project, HSTS is enabled. So if someone is tryig to use the site using the HTTP then it redirects to HTTPS.

After the Security scan, it is reported that ttf, woff and woff2 files are ignoring the HSTS.

Example 1:

On Google Crome if i am trying below URL then it redirects to HTTPS:

http://example.com/backend/web/lib/roboto/Roboto-Light.woff2 then it

redirects to

https://example.com/backend/web/lib/roboto/Roboto-Light.woff2

If i try same thing on Firefox then it just downloads the Roboto-Light.woff2 file over HTTP instead of redirecting to HTTPS.

Example 2:

If i am trying below URL on both google Chrome and Firefox it just downloads the file.

http://example.com/backend/web/lib/roboto/Roboto-Black.ttf

So what should i do to fix this issue?

Update

Network log after accessing the below URL:

http://example.com/backend/web/lib/roboto/Roboto-Black.ttf

enter image description here

enter image description here

It seems that first file is being loaded by visiting the HTTP URL. But the https one not being updated in Address Bar of browser but not sure.

VHOST Settings

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html
    ServerName example.com

    RewriteEngine on
    RewriteCond %{HTTP:X-Forwarded-Proto} ^http$
    RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    #RewriteCond %{HTTPS} !=on
    #RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
    RewriteRule .* - [F]

    Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
DS9
  • 2,995
  • 4
  • 52
  • 102
  • Please give real example URLs, not made-up ones, so we can take a look at the HSTS headers being sent. – ceejayoz Oct 29 '18 at 13:29
  • Apologies but I am not able to provide real URL because of company policy. – DS9 Oct 29 '18 at 13:34
  • 1
    Then at least use `example.com` so you're not a) confusing everyone and b) sending 404 traffic at innocent real domains. Our answers will be limited as a result; check your HSTS headers via cURL. – ceejayoz Oct 29 '18 at 13:34
  • Sure, will use example related URL from next time. – DS9 Oct 29 '18 at 13:41
  • I have tried the $ curl -s -D- https://example.com/ | grep Strict command (change the domain) and the result is: Strict-Transport-Security: max-age=63072000; includeSubdomains; – DS9 Oct 29 '18 at 13:43
  • Do the `curl` on the specific `.ttf` file URLs, not the domain root. – ceejayoz Oct 29 '18 at 13:50
  • 2
    You need to give the config which sets your HSTS header, the web server you are using, whether HSTS is set in webserver config or returned by PHP come on index file only and the HTTP headers returned for those font files (blurred screenshots or anonymised headers will do). Until you give this, no one can really help you. – Barry Pollard Oct 29 '18 at 13:55
  • Tried with that ttf file URL but the result is same. Also added the ss of network tab. – DS9 Oct 29 '18 at 14:00
  • @BarryPollard Added the screenshots. – DS9 Oct 30 '18 at 04:50
  • @DS9 you have shown that HSTS is working, and I’ve no idea if the Strict-Transport-Security header is sent on the font requests because you have only shown half the headers. You have also not answered my other questions. I suspect you are setting HSTS in PHP so it only applies to the page. Set it instead in the web server and it will apply to all resources. – Barry Pollard Oct 30 '18 at 07:55
  • The 307 is an internal redirect. It’s a fake redirect intended to simulate a 301/302 but the only one sent to the web server is the second HTTPS call. – Barry Pollard Oct 30 '18 at 08:01
  • @BarryPollard in vhost i have setup the below: RewriteEngine on RewriteCond %{HTTP:X-Forwarded-Proto} ^http$ RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]. No settings within PHP. – DS9 Oct 30 '18 at 08:34
  • That doesn’t set HSTS. That just is a normal redirect. Find out what (if anything) is setting HSTS. – Barry Pollard Oct 30 '18 at 09:01
  • @BarryPollard Added the VirtualHost settings. – DS9 Oct 30 '18 at 09:15
  • Looks like you are setting HSTS for all assets (though personally I would only set this if the original request was over HTTPS but anyway). So it should be being sent on the request. Is it definitely not being sent on your second screenshot if you scroll down? – Barry Pollard Oct 30 '18 at 10:03
  • @BarryPollard Updated the 2nd Screenshot. So Strict-Transport-Security: max-age=63072000; includeSubdomains; is there. – DS9 Oct 30 '18 at 10:22

1 Answers1

1

You need to go back and ask the security scan people why they think this is the case.

You are clearly showing that HSTS is being set for the font files. You area also showing that you are correctly showing the 307 internal redirect for HSTS reasons.

This is the way it's supposed to work. You get two requests in Chrome's network tab (other browsers may be different):

  1. A fake 307 response which upgrades the request from HTTP to HTTPS. This is created by the browser and the HTTP request never reaches the server. Hence why I am calling it a "fake" resonse.
  2. The real request sent over HTTPS.

As fonts are downloaded it's difficult to tell that this was downloaded over HTTPS except by looking in the network tab - but that's fine.

If i try same thing on Firefox then it just downloads the Roboto-Light.woff2 file over HTTP instead of redirecting to HTTPS.

How do you know this? Are you sure you have visited the site over HTTPS to get the HSTS header? The first request may well be over HTTP (though you have a standard redirect in place so this should redirect to HTTPS and then download), but after that it should auto redirect BEFORE the request is sent.

If i am trying below URL on both google Chrome and Firefox it just downloads the file.

It probably does. But after a redirect.

It seems that first file is being loaded by visiting the HTTP URL. But the https one not being updated in Address Bar of browser but not sure.

No, as discussed the first one is a dummy request. The second is the real request which is actually sent to the browser. As the font file is downloaded immediately it doesn't do anything with the URL bar.

Barry Pollard
  • 40,655
  • 7
  • 76
  • 92