`Strict-Transport-Security` header detected incorrectly

Question

`Strict-Transport-Security` header detected incorrectly

Closed this issue 7 months ago · 2 comments

Domain lihaoyu.cn has Strict-Transport-Security: max-age=31536000;includeSubDomains;preload header, but hstspreload.org said that this domain doesn't have any HSTS header.

Meanwhile, www.lihaoyu.cn is normal.

Answer 1 · 2024-03-10T20:39:43.000Z

but hstspreload.org said that this domain doesn't have any HSTS header.

Checking the response for https://lihaoyu.cn in Chrome DevTools and cURL/HTTPie, that looks correct. The site needs to resume sending the header to stay preloaded.

Answer 2 · 2024-03-11T21:19:51.000Z

I concur with @lgarron's assessment. This appears to be a configuration issue with the website, not an issue with hstspreload.org. One possible explanation for why lgarron, hstspreload.org, and I don't see the HSTS header is that it's possible that the website only sends the HSTS header under some conditions.