SOLVED OK what's the magick with HSTS ? it doesn't work

Operating System & Version
Centos 7.9

rscalover

Well-Known Member
Dec 16, 2010
99
11
58
cPanel Access Level
Root Administrator
Your server has to send a "Strict-Transport-Security" header with includesubdomains and preload directives included and redirecting all http traffic to https i do that but www.hstspreload.org says

error http does not redirect to https (that's a lie it does)
error no HSTS header (another lie that header is send)

so to redirect http to https i have this

Code:
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule (.*) https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
and the header

Code:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains;preload"
just curious why it is not working.

 

Attachments

Last edited:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,496
1,009
313
cPanel Access Level
Root Administrator
Hey there! It sounds more like an issue with that testing tool than with your site. If you're seeing the headers manually and you can see the site actually redirecting in the browser, don't let an automated test steer you the wrong way.

I'm personally not familiar with that testing site, but here are two methods I have used before with good results: How to check if HSTS is enabled - SSL Certificates - Namecheap.com
 

rscalover

Well-Known Member
Dec 16, 2010
99
11
58
cPanel Access Level
Root Administrator
Hey there! It sounds more like an issue with that testing tool than with your site. If you're seeing the headers manually and you can see the site actually redirecting in the browser, don't let an automated test steer you the wrong way.

I'm personally not familiar with that testing site, but here are two methods I have used before with good results: How to check if HSTS is enabled - SSL Certificates - Namecheap.com
Well since hsts can cause your whole website to become inaccesible i'm just carefull that automated tool does display the green background (indicating everything is ok) and the submit button becomes enabled the test just causes doubt maybe i should contact them about it.
 

rscalover

Well-Known Member
Dec 16, 2010
99
11
58
cPanel Access Level
Root Administrator
Contacting them directly and seeing how they perform the test is also a good option.
I think i found the cause of the issue the form at hstspreload.org connects to my website with useragent "Go-http-client" but i have a custom mod_security rule that detects strange useragents like that because they are often used by well bad guys and then if they exceed LF_MODSEC the ip is banned by csf.I can whitelist that ip however doing that allows the whitelisted ip todo anything they want i am to paranoid to trust strangers i wonder why they use such a strange useragent .
 
  • Like
Reactions: cPRex

rscalover

Well-Known Member
Dec 16, 2010
99
11
58
cPanel Access Level
Root Administrator
Hello,

It seems "Go-http-client" belongs to a programming language called "go" i don't know that language and have no experience with it whenever i need to process a form or make a request to an external resource i just use PHP with cURL i guess i am old fashioned http - The Go Programming Language it does make me curious you can mark this as solved :)