HSTS Preload with includeSubDomains

  • Resolved martinlillepuu

    (@martinlillepuu)


    6 years, 9 months ago

    Thank you for this plugin – designing CSP policy using this plugin was quick, easy and quite eye-opening.

    I have a change suggestion – add HSTS preload with includeSubDomains option, since Google HSTS Preload list (https://hstspreload.org/) requires both. What do you think?

    Martin

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Dylan

    (@dyland)

    I added this to my dev version of the plugin but it’s giving me some issues as the redirect is happening without a HSTS header and redirects from non-WWW to WWW version of domain name i.e. https://mysite.com goes to https://www.mysite.com which apparently is not preferred.

    Errors from https://hstspreload.org/:
    Error: No HSTS header
    Response error: No HSTS header is present on the response.

    Error: HTTP redirects to www first
    https://mysite.com`(HTTP) should immediately redirect to https://mysite.com (HTTPS) before adding the www subdomain. Right now, the first redirect is to https://www.mysite.com/. The extra redirect is required to ensure that any browser which supports HSTS will record the HSTS entry for the top level domain, not just the subdomain.

    I’m not sure at this point if its because I’m on Amazon ELBs or if it’s something else. I’ll have to move the new code to another non-Amazon server to check.

    Dylan

    Plugin Author Dylan

    (@dyland)

    Ah got it, had to plug into the canonical filter and redirect one step at a time.
    Dylan

    Plugin Author Dylan

    (@dyland)

    This was pushed out in the 2.2 version.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘HSTS Preload with includeSubDomains’ is closed to new replies.