Stack Overflow
Stack Overflow

Questions tagged [hsts]

HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents are to interact with it using only secure HTTPS connections.

HSTS is based on research done by Adam Barth and Colin Jackson on the ForceHTTPS protocol starting in 2008, which evolved into the ForceTLS protocol and finally the HSTS protocol.

References

326 questions
11
votes
4 answers

Warning: Unnecessary HSTS header over HTTP

I want to use https:// and non www. URL always. So I used the following code in my htaccess file. But i am getting an warning from https://hstspreload.org RewriteCond %{HTTPS} off RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI}…
Md Nurullah
  • 472
  • 7
  • 21
9
votes
0 answers

Options to enable HSTS in AWS Application load balancer

Do we have any options in AWS application load balancer to enable HSTS headers? Find few forum topics, that AWS ALB load balancers doesn't have this as a native option. We are using AWS ALB SSL terminating load balancer. We configured the load…
Prasanna B R
  • 489
  • 2
  • 6
  • 12
9
votes
3 answers

Enable HTTP Strict Transport Security (HSTS) with spring boot application

I have followed the article https://docs.spring.io/spring-security/site/docs/4.0.2.RELEASE/reference/html/headers.html#headers-hsts to enable HSTS header on my spring boot application. Despite of making the required changes,…
kk.
  • 3,747
  • 12
  • 36
  • 67
8
votes
2 answers

Add HTTP Strict Transport Security (HSTS) in AWS Gateway (REST API)

Our security team wants all our Rest API on AWS to have HTTP Strict Transport Security (HSTS) header set, even though our api's are not called from any webpages. I have found some use cases on setting response headers in Lambda response but most of…
Hanumanth Reddy Aredla
  • 277
  • 1
  • 2
  • 11
6
votes
1 answer

Conditionally Implementing HSTS, SSL, and Secure Cookies in Rails Based on Domain

I run an application that hosts websites from multiple domains from a single application and server. I am moving some of those domains to SSL, but others are staying at http. I'm running Rails 4.x. I believe I CAN'T just use the config.force_ssl…
Jason Logsdon
  • 507
  • 5
  • 19
6
votes
1 answer

Header "Strict-Transport-Security" twice in response with Swisscom CloudFoundry application

When using the Swisscom CloudFoundry solution with a Spring Boot application, two Strict-Transport-Security headers are added to a HTTPS response. I have looked into this issue, and found out that several headers are added by the CloudFoundry…
ssc-hrep3
  • 15,024
  • 7
  • 48
  • 87
6
votes
2 answers

Do I need to enable HSTS in addition to forcing HTTPS in .htaccess?

I know nothing about this stuff so please ELI5 in your replies. Following the instructions from my provider, Dreamhost, I installed an SSL certificate and then added these lines to my .htaccess file to force HTTP requests to be rewritten to HTTPS…
AlwaysLearning
  • 311
  • 4
  • 12
6
votes
2 answers

Modify response header with sails.js for implementing HSTS

I am implementing a nodejs application using sails.js. I want my user to communicate only through https. So for doing that I need to configure my server my way so that with each response it will add a header "Strict-Transport-Security",…
Muhammad Raihan Muhaimin
  • 5,559
  • 7
  • 47
  • 68
5
votes
1 answer

How to Implement HSTS header in ASP.Net Core 6.0?

I need to implement the HSTS header security in the ASP.Net Core 6.0 WEB API application. Below is my Program.cs var builder = WebApplication.CreateBuilder(args); ... // Https redirection builder.Services.AddHttpsRedirection(options…
One Developer
  • 99
  • 5
  • 43
  • 103
5
votes
1 answer

Checkmarx scan - how to fix Missing_HSTS_Header warning?

after running Checkmarx scan on my Node.js application, I got a warning of Medium severity -> Missing_HSTS_Header. On this piece of code that just returns the content of metadata.json file (highlighted as a source of error is "res.json"). const app…
Jozef
  • 479
  • 1
  • 9
  • 36
5
votes
1 answer

HTTPS request implicates a HTTP responseheader and a Mixed Content warning - how to avoid

In a PHP site I request images (user profile photos) from a PHP file, the image are loaded explicit using HTTPS as the entire site where HSTS are enabled. The problem is that the site gives a "Mixed content" warning in Chrome and Firefox even though…
Mark
  • 61
  • 1
5
votes
1 answer

Chrome - Delete domain security policies is not Working for .app

im trying to delete domain security policy in Google Chrome following this post and this one. But when i click to delete and clear data browser it not work. my domain is: http://localhost.domain-test.app:57471 and i using Windows. im following…
Lucas Argate
  • 329
  • 2
  • 11
5
votes
1 answer

HSTS workaround for Chrome for Dev Environment

We are looking for a way to have Chrome bypass the HSTS requirements for our dev environment. We are working on a project for https://foo.com. Within our organizations internal dns we have DNS entries for foo.com.dev which points to our internal…
Turk21
  • 89
  • 1
  • 9
5
votes
1 answer

HSTS preload list - possible SEO issue for www sites

Let me explain a real world situation here. I run the website https://www.liloo.ro and I want to enable HSTS (+HSTS preload) for it. The problem is that in order to submit it to the preload list the main domain has to respond with a HSTS header. Let…
Alex
  • 115
  • 10
5
votes
4 answers

How to disable HSTS header with HTTP?

I have inserted the following in the .htaccess of my site in order to be admitted to the HSTS preload list: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" The…
fabrizio.rocca
  • 99
  • 1
  • 2
  • 11
1
2
3
21 22