You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Some websites will check what headers a website is serving and those reports sometimes conflict with what hstspreload.org says for a domain's Strict-Transport-Security header. Usually this conflict is because other scanning websites follow redirects while hstspreload.org looks at the headers on the response to the original request. (One such example of a scanning site is securityheaders.com, which defaults to following redirects.)
We should consider adding an FAQ section with an entry addressing this. (The Q could be something like "hstspreload.org says my domain isn't serving the Strict-Transport-Security header, but other tools see it. What's happening?")
The text was updated successfully, but these errors were encountered:
Sounds pretty sensible, if you're facing a lot of such questions.
Although this issue probably affects less technical users, I would also suggest generating a curl command that shows exactly the main request being tested against, e.g. curl -I "https://garron.net/". We could also add richer information to error messages to this end.
(We do have the hstspreload CLI that's easy to install if you have Go on your system, but I don't think that's going to be as intuitive: go install github.com/chromium/hstspreload/...@latest; hstspreload preloadabledomain garron.net)
lgarron
added a commit
to lgarron/hstspreload
that referenced
this issue
May 3, 2023
Some websites will check what headers a website is serving and those reports sometimes conflict with what hstspreload.org says for a domain's Strict-Transport-Security header. Usually this conflict is because other scanning websites follow redirects while hstspreload.org looks at the headers on the response to the original request. (One such example of a scanning site is securityheaders.com, which defaults to following redirects.)
We should consider adding an FAQ section with an entry addressing this. (The Q could be something like "hstspreload.org says my domain isn't serving the Strict-Transport-Security header, but other tools see it. What's happening?")
The text was updated successfully, but these errors were encountered: