0

I'm trying to add HSTS to my site. I added the line for it and then checked it here but it fails with "No HSTS header". The site is configured to use www and in researching this failure, it seems I have to redirect to non-www first. I already had the redirect to www so I added the redirect to non-www above it. If I check the header, the Strict code shows for the www link but not for the non-www link. Would someone please point out what I am missing or doing wrong?

    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS

    RewriteCond %{SERVER_PORT} 80
    RewriteRule ^(.*)$ https://example.com/$1 [R,L]

    RewriteCond %{SERVER_PORT} 80
    RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]
user3052443
  • 758
  • 1
  • 7
  • 22
  • Can you see the header when you visit the site in Dev Tools? Also please, please, please do not preload your website until you have this properly working without issues for at least a month. – Barry Pollard Jun 03 '20 at 21:30
  • The strict code shows when I look in dev-tools. However, it is showing it for the www page due to the second redirect I have. I don't know how to view the non-www header, if it is even possible. Maybe that is why the submission page is failing. Does that mean it is not possible to use strict hsts on a site that uses www? Regarding preload, I've removed that. Some posts I found said it was needed but didn't mention waiting. – user3052443 Jun 04 '20 at 02:22

0 Answers0