Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is a 302 redirect honored? #198

Open
shaunwarman opened this issue Oct 16, 2020 · 4 comments
Open

Is a 302 redirect honored? #198

shaunwarman opened this issue Oct 16, 2020 · 4 comments

Comments

@shaunwarman
Copy link

shaunwarman commented Oct 16, 2020
edited

Trying https://fowardemail.net there is a 302 redirect to https://forwardemail.net/<locale> (e.g. https://forwardemail.net/en) where hsts header is present

Strict-Transport-Security: max-age=31557600; includeSubDomains; preload

hstspreload.org responds with Error: No HSTS header Response error: No HSTS header is present on the response.

Does the missing hsts header on the initial response and 302 redirect to where hsts header is present cause the issue?

I can see http -> https redirect via 301.

 wget -O- --no-hsts http://forwardemail.net:80
--2020-10-16 07:51:50--  http://forwardemail.net/
Resolving forwardemail.net (forwardemail.net)... 167.71.85.68
Connecting to forwardemail.net (forwardemail.net)|167.71.85.68|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://forwardemail.net/ [following]
--2020-10-16 07:52:00--  https://forwardemail.net/

Using competitors like https://gf.dev/hsts-test says things are good.
@shaunwarman shaunwarman changed the title Does this still work? Is a 302 redirect honored? Oct 16, 2020
@lgarron
Copy link
Collaborator

lgarron commented Oct 16, 2020
edited

The header has to be sent on the response to / itself, even if there's a redirect to the same origin.

Depending on your server software, there may be a separate settings to do this for redirects. For example, in Apache you have to use the always keyword for this:

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" env=HTTPS

@niftylettuce
Copy link

thanks @lgarron, @shaunwarman you can close this

@lgarron it might be good to make a note in the landing page that "if you 302 redirect to i18n landing pages like /en, note that your 302 redirect needs the HSTS header present" - not sure if many others have this but would be good to dummy-proof (since other sites follow their redirects on HSTS tests, and hstspreload.org does not).

niftylettuce added a commit to ladjs/web that referenced this issue Oct 16, 2020
@niftylettuce
fix: fixed HSTS issue per <chromium/hstspreload.org#198>
8b1c97d
@nharper
Copy link
Collaborator

nharper commented Oct 19, 2020

I think mentioning i18n is a bit too specific. The Deployment Recommendations mentions adding the Strict-Transport-Security header to all HTTPS responses. Would it help to clarify that by adding "including redirects"?

@niftylettuce
Copy link

that'd be great

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@lgarron @niftylettuce @nharper @shaunwarman