Stack Overflow
Stack Overflow

Questions tagged [hsts]

HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents are to interact with it using only secure HTTPS connections.

HSTS is based on research done by Adam Barth and Colin Jackson on the ForceHTTPS protocol starting in 2008, which evolved into the ForceTLS protocol and finally the HSTS protocol.

References

326 questions
0
votes
0 answers

prevent file downloading for 301 Moved Permanently url for HSTS

In my project, HSTS is enabled. So if someone is tryig to use the site using the HTTP then it redirects to HTTPS. After the Security scan, it is reported that ttf, woff and woff2 files are ignoring the HSTS. So if i will access:…
DS9
  • 2,995
  • 4
  • 52
  • 102
0
votes
1 answer

307 temporarily moved code when page loads in Chrome

I have run into a dilemma I cannot figure out. All my pages (currently being served on both localhost & a live server) redirect twice with a 307 header code until finally reaching the 200 success code and the page loads. This seems to only be…
luv2code
  • 1,216
  • 6
  • 22
  • 42
0
votes
1 answer

How to edit the HSTS "max-age" directive in Chrome?

How to edit the HSTS "max-age" directive in Chrome? I want to test what happens, when the HSTS "max-age" directive expires and the user visits my web application. I know that proper behavior would be that, since HSTS has expired, the browser is…
Shuzheng
  • 11,288
  • 20
  • 88
  • 186
0
votes
1 answer

Testing browsers (Firefox, Chrome, IE) and HSTS

I am trying to do some testing with HSTS and so I setup a new Apache instance, configured it with a server cert (not self-signed), and configured it to send the HSTS header, and then am trying testing using Firefox, Chrome, and IE. However, so far,…
user555303
  • 1,146
  • 3
  • 20
  • 44
0
votes
1 answer

HSTS not appearing in headers

I have the following lines in my .htaccess file. Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains; preload" env=HTTPS However I know my site isn't sending the HSTS…
Bysander
  • 119
  • 3
  • 9
0
votes
1 answer

How to handle http requests which are getting redirected as https using my nodejs-express app?

I am injecting some script tags in a website, with source such as http:localhost:3000/css/my-page-css.css . While its working on almost all sites, there's this particular website that is somehow sending all my http requests as https. How do I handle…
Tripti Rawat
  • 645
  • 7
  • 19
0
votes
1 answer

How do I force SSL and also have a www domain URL redirect?

I have a domain running on example.com and https://example.com on Heroku. I have a URL redirect on my name server from www to https://example.com. I have config.force_ssl = true set in config/environment/production.rb. The domain URL redirect works…
Chloe
  • 25,162
  • 40
  • 190
  • 357
0
votes
1 answer

lighty - unwanted HSTS

I have been running lighty on my development machine for some years now, have set up some vhosts, one of them is phpmyadmin and one of the others uses SSL with a self-signed certificate on certain pages; and it has been working fine for years. But…
Titus
  • 452
  • 8
  • 19
0
votes
0 answers

TLS handshake in HTTP connection confusion

Hi Everyone, my apologies. We are now 1.5 years later and I was looking over this article again and I realize that the question I had was very poorly contructed. I will try to reformulate it properly. I've read about HTTPS redirections, HSTS, SSL…
ItsShowtime
  • 185
  • 2
  • 2
  • 10
0
votes
3 answers

Kubernetes ingress not enforcing inserting hsts into headers

I am using kubectl to run Kubernetes on a Kops controlled cluster on AWS. I want to insert the Strict-Transport-Security header into the pages that are served from our site. My ingress currently forces all traffic to HTTPS, but ignores the…
NewBDAQ
  • 1
  • 1
  • 2
0
votes
1 answer

How to Enable HSTS in Play framework 2.3.x using scala code?

I have a Play Framework 2.3.6 version app running on Sbt, using Sbt SSL endpoint with scala coding... I would like to see the (hsts)strict transport security response in the headers. I am trying locally in postman using the URL http…
jerald
  • 1
0
votes
2 answers

How to configure HTTP Strict Transport Security in Sonatype nexus

I know that we can enable HSTS in the apache tomcat as there is an option to achieve that. Is there any way that we could configure on top of the Sonatype Nexus Artifact Repository Manager ? I found a configuration of nexus which is jetty-http.xml,…
Krishna
  • 1
  • 1
0
votes
1 answer

How do I validate HSTS is being enforced by the browser

I set the HSTS header on my site and i want to test that the different browsers (chrome, Firefox, IE, Opera) do enforce the header. I set a trusted certificate, connect to the site and I can see the the header at the HTTP response. but i want to…
IdolAdmin
  • 61
  • 1
  • 5
0
votes
1 answer

What happens if i preload HSTS with Unnecessary HSTS header over HTTP?

The HTTP page at my website sends an HSTS header. This has no effect over HTTP, and should be removed. But what if i decide to not remove the error and preload my website through the HSTS Preload form? What happens?
jehovahsays
  • 111
  • 6
0
votes
1 answer

HSTS header response processing over secured transport

As per the RFC6797- [..] "An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport." [..] https://www.rfc-editor.org/rfc/rfc6797#page-18 My question is - if the client is trying to access the host over…
Nilesh
  • 1
  • 1
1 2 3
21 22