hstspreload.appspot.com doesn't send an HSTS header

Question

hstspreload.appspot.com doesn't send an HSTS header

Closed this issue 8 years ago · 6 comments

This breaks the www.no_tls whitelisted case of the TestPreloadableDomainAndRemovableDomain test test for hstspreload.

Answer 1 · 2017-01-13T22:59:33.000Z

Note that we do try to set the header if r.TLS != nil || maybeAppEngineHTTPS(r); perhaps sending the 301 redirect causes the header to be dropped, or maybe this is yet another silly edge case with Flexible Environment.

Answer 2 · 2017-01-15T16:23:02.000Z

According to Fiddler 4 and Google Chrome Dev Tools, hstspreload.appspot.com does indeed send the HSTS header.

Answer 3 · 2017-01-19T02:38:51.000Z

According to Fiddler 4 and Google Chrome Dev Tools, hstspreload.appspot.com does indeed send the HSTS header.

What about now?

I'm not seeing it in DevTools or curl.

Answer 4 · 2017-01-19T02:41:19.000Z

Woah, but bat gets a 200 with Strict-Transport-Security : max-age=31536000; includeSubDomains; preload

Answer 5 · 2017-01-19T10:44:15.000Z

Rechecked in Fiddler 4, Google Chrome Dev Tools and Firefox Nightly. Same Result. In DevTools you must tick the checkbox "disable cache".

Answer 6 · 2017-01-19T20:23:53.000Z

I just checked with my personal computer on a guest network, and it appears that the header is set for public responses, but stripped inside the Google corporate network.

<exasperation>ARARAGARHGARGHARHGHARGAHHHAHRGHRGAHRGAHGHARHHARHGAHRHGAHRHGAHRGHAHRGHARGHHAAHRGAHRG</exasperation>