hstspreload.appspot.com doesn't send an HSTS header
Closed this issue · 6 comments
This breaks the www.no_tls whitelisted
case of the TestPreloadableDomainAndRemovableDomain
test test for hstspreload
.
Note that we do try to set the header if r.TLS != nil || maybeAppEngineHTTPS(r)
; perhaps sending the 301 redirect causes the header to be dropped, or maybe this is yet another silly edge case with Flexible Environment.
According to Fiddler 4 and Google Chrome Dev Tools, hstspreload.appspot.com does indeed send the HSTS header.
What about now?
I'm not seeing it in DevTools or curl
.
Woah, but bat
gets a 200
with Strict-Transport-Security : max-age=31536000; includeSubDomains; preload
I just checked with my personal computer on a guest network, and it appears that the header is set for public responses, but stripped inside the Google corporate network.
<exasperation>ARARAGARHGARGHARHGHARGAHHHAHRGHRGAHRGAHGHARHHARHGAHRHGAHRHGAHRGHAHRGHARGHHAAHRGAHRG</exasperation>