Cannot pick up the HSTS headers
ayrton opened this issue · 2 comments
ayrton commented
I'm having issues submitting my website to the HSTS preload list. The form's responding that there are no HSTS header is present on the response.
$ curl https://hstspreload.org/api/v2/preloadable\?domain=careerwatchlist.com
{
"errors": [
{
"code": "response.no_header",
"summary": "No HSTS header",
"message": "Response error: No HSTS header is present on the response."
}
],
"warnings": []
}
However when I look at the headers they are present there:
$ curl -I https://careerwatchlist.com
HTTP/2 200
date: Wed, 11 Nov 2020 08:10:58 GMT
content-type: text/html; charset=utf-8
set-cookie: __cfduid=d170f175bec1497844aece8f97d9da14f1605082258; expires=Fri, 11-Dec-20 08:10:58 GMT; path=/; domain=.careerwatchlist.com; HttpOnly; SameSite=Lax; Secure
cf-ray: 5f068a33cb600b78-AMS
cache-control: max-age=0, private, must-revalidate
etag: W/"1e6c268df10d9a44ad465e7b06f6a63b"
last-modified: Tue, 10 Nov 2020 13:31:38 GMT
set-cookie: _careerwatchlist_session=7L3y3dylFZ84c0M%2FBEyk%2FueLNRXoaVypjONPyzCyVV7kACn5owm7DLMzmgKombqKxGiqstAAM2iyyhsnOK3f%2BNqXZBWcqGKZhlQJMmIfARQo9XS7BsHICf5LQ3yAfi7MH8Ro6zqO0o4CCIYfrnbeILnVIkMV5%2FPEkESIPcTIo549HTXLz9kp8apXo%2Fr832H2NwX3vHtvS%2FqIzNdlLPgGZW8gQOcert0M3qteQ7YnLP7uu%2FGU%2FKBFccw9tFKN5UDOQwdMvV3hVy7vZRA1ecRr11StLJ2%2Fp8BscIdoWjwOkS0%3D--JRdPu%2B%2FeeRYQrRzb--rVNCqcI3cFy1tJvwM0cHdg%3D%3D; path=/; secure; HttpOnly
strict-transport-security: max-age=31536000; includeSubDomains; preload
via: 1.1 vegur
cf-cache-status: DYNAMIC
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
x-download-options: noopen
x-permitted-cross-domain-policies: none
referrer-policy: strict-origin-when-cross-origin
x-html-edge-cache: cache
x-request-id: 9cc7cde9-5798-4eac-a63b-ce1cd68dce35
x-runtime: 0.033139
cf-request-id: 0657f4b46200000b782f1bd000000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=sl1mQqpFoPCazX%2BzLurIlguSRJYV8CjZOvMcrtg9W5ZUfGicHTXFefVlxGzRd3ChmCHdGVZvV2%2Bf%2FrORyHNLsbj%2BiAPuuSFAvIt83MxQZ%2FPj2kqAH9QhbTRl%2B1f3V2pk"}],"group":"cf-nel","max_age":604800}
nel: {"report_to":"cf-nel","max_age":604800}
server: cloudflare
strict-transport-security: max-age=31536000; includeSubDomains; preload
What am I missing here?
nharper commented
There appears to be some difference between how the hstspreload library used by hstspreload.org. I would suggest building and running the tool in https://github.com/chromium/hstspreload to test and debug why your server is behaving differently when using the hstspreload library instead of curl.