No HSTS Preload For Non-www

Hi, I’m Andrea I’m here to help you in resolving the issue you encountered, also I apologize but I have received several requests and I think I missed yours.

I have started some verifications for the two topics currently with the similar issue and it will be my care to make an urgent patch as soon as found the problem on my side.

I am available for further information or issues and will try to respond as quickly as possible

Appreciate that…

Hi @vdn-staff, here I am! came back to you ?? as a first impression where I am analyzing the various information and creating a logical concept of the reported issue.

First input after a quick analysis of the website I found a header anomaly.
? scanning the domain without the NO-WWW shows those settings in the header

? scanning the domain with the YES-WWW shows those settings in the headers, and you can already see from this first check that the domain without of the litespeed configurations have preloaded the site with hstspreload.org. Instead the headers present in the domain without www have litespeed headers but I cannot preload the domain.

I apologize if I am writing you all this information but it will help you to understand the problem in the simplest way and solve your issue. I will now focus on figuring out if there are settings in litespeed that disable or configure basic preloads

It’s a lot to take in but I’m following…

Hi @vdn-staff, here I am again from you, I am here to ask you some more information about the version of Headers Security Advanced & HSTS WP plugin and the version of litespeed.

With this I will be able to do a more thorough test to find the issue on some installations created for the topic.

I am also inquiring and testing different settings and configurations with some active plugins

best regards

Headers Security Advanced & HSTS WP version is 5.0.14

LiteSpeed Cache version is 5.3.1

Hi @vdn-staff, here I am again with you and I hope to bring some good news I am trying to offer you the best assitance possible and in the shortest time.

Checking the latest settings of both the versions you provided me and a series of more in-depth internal tests, the issue you are experiencing no longer seems to me to be due to the previous verification of
LiteSpeed Cache version is 5.3.1 but directly to an incorrect configuration in the records part.

I am asking if you can confirm the use of CloudFlare for the domain without the www > vanndigital.com and instead the non-configuration of cloudflare for the domain with www > https://www.vanndigital.com ?

Below I send you an analysis of the DNS Lookup of your domain with and without the extension, and I note that the domain that was preloaded correctly with hstspreload.org does not use CloudFlare and instead the domain without the WWW and that fails to preload has configured third-party records (in this case CloudFlare).

The way to solve the problem I think is really in CloudFlare because it prefers and forces the use of its own base configurations.

if you confirm this to me we can collaborate together where I will show you inside cloudflare how to set some settings correctly.

best regards

Yea, I noticed that non-www preloads work when I use their HSTS Preload function but not when I don’t… </img>

• This reply was modified 2 years, 1 month ago by VannDigital. Reason: Had to correct a sentence

Hi @vdn-staff, thanks for your reply, I am available to help you solve the problem on the third party service CloudFlare.

If you are using CloudFlare to avoid the dynamic change of pointing and redirects I ask you to give it a try with HSTS service activation (Obviously the plugin will work but it will keep two policies to avoid this problem).

I already describe some steps to test the issue with CloudFlare.

For HSTS to work as intended, it is necessary:

• Enable HTTPS before HSTS so that browsers can accept HSTS settings (ALREADY ENABLED ON YOUR SITE).
• Enable HTTPS so that visitors can access your site (ALREADY ENABLED ON YOUR SITE).

After enabling HSTS, AVOID THE FOLLOWING changes to ensure that visitors can access your site:

• Changing your DNS records from proxy to DNS-only.
• Pause Cloudflare on your site.
• Pointing name servers away from Cloudflare
• Redirecting from HTTPS to HTTP
• Disabling SSL (invalid or expired certificates or certificates with mismatched host names)

To enable HSTS using the dashboard:

1) Log in to the Cloudflare dashboard and select your account.
2) Select your website.
3) Go to SSL/TLS > Edge Certificates.
4) For HTTP Strict Transport Security (HSTS), click Enable HSTS.
5) Read the dialog box and click I understand.
6) Click Next.
7) Configure the HSTS settings.
8) Click Save.

these are the settings you should set with cloudflare

To disable HSTS on your website:

1) Log in to the Cloudflare dashboard and select your account.
2) Select your website.
3) Go to SSL/TLS > Edge Certificates.
4) For HTTP Strict Transport Security (HSTS) , click Enable HSTS.
5) Set the ‘Maximum Age header to 0 (Disable).
6) If you previously enabled the No-Sniff header and wish to remove it, set it to Off.
7) Click Save.

Got it!!!