Stack Overflow
Stack Overflow

Questions tagged [hsts]

HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents are to interact with it using only secure HTTPS connections.

HSTS is based on research done by Adam Barth and Colin Jackson on the ForceHTTPS protocol starting in 2008, which evolved into the ForceTLS protocol and finally the HSTS protocol.

References

326 questions
0
votes
2 answers

Can strict transport security be enforced generally?

I would like to prevent users accessing my website using http. Instead, I want to enforce the use of https. Usually, I have my websites hosted at providers who simply have a checkbox "Enforce https". In this case, I have my own Ubuntu (nginx)…
tmighty
  • 10,734
  • 21
  • 104
  • 218
0
votes
1 answer

HSTS header (strict-transport-security) is not getting always. (sometimes getting and sometimes not)

I configured the IIS to get the HSTS header. When I tried to verify using the curl command. I got the header sometimes and sometimes I'm not getting it. In the below image you can see I accessed the same site using the curl command. The first time I…
Amal
  • 11
  • 2
0
votes
1 answer

HSTS Preload differing results

On one of my sites I have Header set Strict-Transport-Security "max-age=31536000" env=HTTPS and this was enough for HSTS to be preloaded but the exact same snippet in my .htaccess file doesn't allow preloading on another site. I've went with Header…
learningtoanimate
  • 949
  • 6
  • 22
0
votes
1 answer

Returning Strict-Transport-Security includeSubdomains for a subdomain

Trying to find the answer and the spec doesn't actually seem to help. The spec for HSTS says the following about the includeSubdomains flag: includeSubDomains is a flag which, if present, signals to the UA that the HSTS Policy…
roryhewitt
  • 4,097
  • 3
  • 27
  • 33
0
votes
0 answers

HSTS header not showing in Spring boot app using Azure app service

I'm using Spring Boot (Spring version 5.2.9) and have it deployed to Azure App Service (linux server). I have it set so it's using HTTPS only under the TLS/SSL settings in Azure. I am unable to see the HSTS header being set in responses. When I run…
Michelle
  • 1
  • 2
0
votes
1 answer

Why HSTS header is required if http to https redirect is already present?

We have a webserver running behind AWS ALB and a AWS CloudFront in-front on ALB. We have setup force http->https redirection in both CDN and ALB. Do we still need to configure HSTS header ? What are the disadvantages if we don't setup HSTS, when…
Praveen
  • 3
  • 3
0
votes
1 answer

Enabling HSTS in an exe hosted WCF web service

I have a WCF service which is hosted in an exe using the ServiceHost class. I call it a "web service" because it's listening via https, so I can ping it from a web browser. (Sorry if not all my terms are precise.) I would like to enable HSTS for…
Lipcsey József
  • 3
  • 3
0
votes
1 answer

chrome keeps redirecting because of HSTS

I have implemented a simple static server like this in /etc/nginx/sites-available/default that will serve a bunch of files server { listen 80; server_name www.x.app x.app; root /usr/share/app/front-end/build; location / { …
Mohammad Hosein Balkhani
  • 121
  • 1
  • 11
0
votes
0 answers

Why Spring Security HSTS header, is being removed by app engine?

I have a rather simple spring boot application run on the GCP app engine. I enabled spring security to get the default security response headers on the API's endpoint. Now I have all of the default headers except the HSTS when I deploy the app into…
Kian Aghaei
  • 13
  • 2
0
votes
1 answer

How to access private Webpage protected by HSTS on outdated SSL?

Unfortunately, I missed to update the SSL Certificate of my Solar Smart Logger. I do not have SSH access to this device, the only way to configure it is through the web interface. That is why I had to upload my Let's encrypt cert (for split-brain…
Alex
  • 2,784
  • 2
  • 32
  • 46
0
votes
1 answer

Firebase hosted site getting error "Did Not Connect: Potential Security Issue"

I have added a site to firebase hosting and it is working fine when I navigate to site url without www. in it but when I try to redirect to the site with www. I get HSTS warning. https://devkey.web.app/ This link is working…
Suraj Giri
  • 202
  • 1
  • 13
0
votes
1 answer

HSTS for domains that redirect to a different one

Sorry if this question was already asked, couldn't find a similar case. So, we're about to implement HSTS for the domain, say, example.com. Said domain has a couple of different domains that redirect to it, domain1.com and…
MadHatter365
  • 713
  • 7
  • 9
0
votes
0 answers

"Strict Transport Security" in Blazor webassembly

I Have 2 web applications: MVC & Blazor webassembly. In MVC project I was able to set up the application to enforce the strict-transport-security by adding HSTS Middleware in startup class by following the instructions in Microsoft…
Husam Ebish
  • 4,893
  • 2
  • 22
  • 38
0
votes
1 answer

Is HSTS required when load balancer does not server HTTP requests

I have a web application running on AWS EC2 using a load balancer which only listens for HTTPS requests on port 443 along with a security group which only allows for traffic on port 443 so my application cannot be reached via HTTP (as far as I am…
FrostyOnion
  • 856
  • 7
  • 10
0
votes
1 answer

Question about setting HTTP Strict-Transport-Security in a docker container with code or compose/container settings

I'm using the mcr.microsoft.com/dotnet/core/aspnet:3.1-buster-slim Linux docker image as a base for my .net core 3.1 web application running on a docker Linux container and I would like to add HSTS headers, but I've not been successful in doing…
KAE
  • 1
  • 1
1 2 3
21 22