0

In my project, HSTS is enabled. So if someone is tryig to use the site using the HTTP then it redirects to HTTPS.

After the Security scan, it is reported that ttf, woff and woff2 files are ignoring the HSTS.

So if i will access: http://example.com/backend/web/lib/roboto/Roboto-Black.ttf

Then it will download that file instead of redirecting to HTTPS one in Address Bar of Browser.

Then i have checked the network logs using the developer tools:

1) When i am accessing the font file with HTTP then below is the result:

enter image description here

So it has 301 Mover Permanently status but it downloads the font file over http.

2) Then it redirects to the font file with HTTPS on Developer tools but URL is not changing in Address Bar of browser.

enter image description here

So what should i do to fix this issue? Should the HSTS prevent the file downloading over HTTP. Its working fine for files which can be display in Browser like HTML,CSS,JS, Images etc. But not the one which is not Viewable in browser.

DS9
  • 2,995
  • 4
  • 52
  • 102
  • The most common way to stop anyone from accessing the site or any resources through http is to set up the web server to not serve anything through http. It should only be a vhost that redirects the request to https. How are you implementing the redirect? – M. Eriksson Oct 30 '18 at 06:29
  • This is the rule which was setup in vhost:RewriteEngine on RewriteCond %{HTTP:X-Forwarded-Proto} ^http$ RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] – DS9 Oct 30 '18 at 06:41
  • Possible duplicate of [ttf and woff files are not using the HSTS](https://stackoverflow.com/questions/53046519/ttf-and-woff-files-are-not-using-the-hsts) – Barry Pollard Oct 30 '18 at 08:02
  • Please don’t duplicate questions. No HSTS does not prevent downloading of the file over HTTP. It should make it such that the browser doesn’t want to download it over HTTP. Many browsers and HTTP clients do not understand HSTS so need to fall back to the redirect - especially for the first request to get the HSTS header. Turning off listening on port 80 does NOTHING for security since an attacker can just run a port 80 server in your place and pretend to respond to your request (assuming they have access to DNS or network interception). – Barry Pollard Oct 30 '18 at 08:06

0 Answers0