Is a 302 redirect honored?
shaunwarman opened this issue · 4 comments
Trying https://fowardemail.net there is a 302 redirect to https://forwardemail.net/<locale> (e.g. https://forwardemail.net/en) where hsts header is present
Strict-Transport-Security: max-age=31557600; includeSubDomains; preload
hstspreload.org responds with Error: No HSTS header Response error: No HSTS header is present on the response.
Does the missing hsts header on the initial response and 302 redirect to where hsts header is present cause the issue?
I can see http -> https redirect via 301.
wget -O- --no-hsts http://forwardemail.net:80
--2020-10-16 07:51:50-- http://forwardemail.net/
Resolving forwardemail.net (forwardemail.net)... 167.71.85.68
Connecting to forwardemail.net (forwardemail.net)|167.71.85.68|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://forwardemail.net/ [following]
--2020-10-16 07:52:00-- https://forwardemail.net/
Using competitors like https://gf.dev/hsts-test says things are good.
The header has to be sent on the response to / itself, even if there's a redirect to the same origin.
Depending on your server software, there may be a separate settings to do this for redirects. For example, in Apache you have to use the always keyword for this:
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" env=HTTPS
thanks @lgarron, @shaunwarman you can close this
@lgarron it might be good to make a note in the landing page that "if you 302 redirect to i18n landing pages like /en, note that your 302 redirect needs the HSTS header present" - not sure if many others have this but would be good to dummy-proof (since other sites follow their redirects on HSTS tests, and hstspreload.org does not).
I think mentioning i18n is a bit too specific. The Deployment Recommendations mentions adding the Strict-Transport-Security header to all HTTPS responses. Would it help to clarify that by adding "including redirects"?
that'd be great