Skip to main content

OK what's the magick with HSTS ? it doesn't work

rscalover
Your server has to send a "Strict-Transport-Security" header with includesubdomains and preload directives included and redirecting all http traffic to https i do that but
just curious why it is not working.

Comments

6 comments

Date Votes
  • cPRex Jurassic Moderator
    Hey there! It sounds more like an issue with that testing tool than with your site. If you're seeing the headers manually and you can see the site actually redirecting in the browser, don't let an automated test steer you the wrong way. I'm personally not familiar with that testing site, but here are two methods I have used before with good results: How to check if HSTS is enabled - SSL Certificates - Namecheap.com
    0
  • rscalover
    Hey there! It sounds more like an issue with that testing tool than with your site. If you're seeing the headers manually and you can see the site actually redirecting in the browser, don't let an automated test steer you the wrong way. I'm personally not familiar with that testing site, but here are two methods I have used before with good results:
    0
  • cPRex Jurassic Moderator
    Contacting them directly and seeing how they perform the test is also a good option.
    0
  • rscalover
    Contacting them directly and seeing how they perform the test is also a good option.

    I think i found the cause of the issue the form at hstspreload.org connects to my website with useragent "Go-http-client" but i have a custom mod_security rule that detects strange useragents like that because they are often used by well bad guys and then if they exceed LF_MODSEC the ip is banned by csf.I can whitelist that ip however doing that allows the whitelisted ip todo anything they want i am to paranoid to trust strangers i wonder why they use such a strange useragent .
    0
  • cPRex Jurassic Moderator
    Good catch!!!
    0
  • rscalover
    Hello, It seems "Go-http-client" belongs to a programming language called "go" i don't know that language and have no experience with it whenever i need to process a form or make a request to an external resource i just use PHP with cURL i guess i am old fashioned http - The Go Programming Language it does make me curious you can mark this as solved :)
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post