HSTS doesn’t work

  • Resolved ralf58

    (@ralf58)


    7 months, 4 weeks ago

    Hello,

    after activating “HTTP Strict Transport Security policy” the rule was entered in htaccess, but when checking on https://hstspreload.org/ it is not recognized: “Error. No HSTS header…Response error: No HSTS header is present on the response.”

    WordPress and all apps are up to date and there are no other entries regarding HSTS in the htaccess.

    How can we remedy this?

    Ralf

    The page I need help with: [log in to see the link]

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Contributor Marko Vasiljevic

    (@vmarko)

    Hello @ralf58

    Thank you for reaching out and I am happy to help!
    I’ve tested this and once I enable the option HTTP?Strict Transport Security policy in Performance>Browser Cache>Security headers section, and choose the directive: max-age=EXPIRES_SECONDS; includeSubDomains; preload The test is passed and In the source, I can see the following:
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

    Also the rules are added in the .htaccess:

    <IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    Header set Referrer-Policy "no-referrer-when-downgrade"
</IfModule>

    AFter checking your website I can only see:

    Referrer Policy: strict-origin-when-cross-origin
    Can you please share the screenshot of what is enabled in the BC settings in the W3 Total Cache and check if your hosting provider has some security settings in the httpd.conf configuration file.

    Thanks!

    Thread Starter ralf58

    (@ralf58)

    Hello Marko,
    Since I don’t have my own server, I can’t access the configuration file.

    My problem is probably due to the configuration of the server at Ionos (1and1). I have now found several sources that also describe that an HSTS in htaccess is not read correctly if the site is hosted by Ionos. At one point it is even claimed that the rules have to be entered both in htaccess and with php in the functions.php of the (child) theme.

    In fact, on my other sites that are not hosted by Ionos, the htaccess entries regarding “Strict-Transport-Security” work fine.

    Nevertheless, I would like to send the “Browser Cache” settings again.
    See you then
    Ralf

    Plugin Contributor Marko Vasiljevic

    (@vmarko)

    Hello @ralf58

    Thank you for your feedback.
    Well it seems that you are correct. The Browser Cache settings are correct and I would suggest you reaching out to reach out to the support of the hosting provider if you have this option and check this with them.
    Thanks!

    Thread Starter ralf58

    (@ralf58)

    Hello,
    my host couldn’t give me a reason for the error. I have now removed the entry for HSTS from W3TC and manually inserted the complete HTTP from https://scotthelme.co.uk/hardening-your-http-response-headers into htaccess. So that HSTS is not recognized by https://hstspreload.org, but the header is reported for individual files.
    Hello,
    my host couldn’t give me a reason for the error. I have now removed the entry for HSTS from W3TC and manually inserted the complete HTTP from https://scotthelme.co.uk/hardening-your-http-response-headers into htaccess. So that HSTS is not recognized by https://hstspreload.org, but the header is reported for individual files.

    Next I’ll try out whether I can store the instructions in the theme via php.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘HSTS doesn’t work’ is closed to new replies.