Should HSTS be enabled on non-200 responses?

Question

Should HSTS be enabled on non-200 responses?

Closed this issue 7 years ago · 3 comments

The newly added HSTS feature does not add the header on non-200 responses. I've always thought that backends should always return the HSTS header if enabled.

Currently SSL Labs will mark all instances of freegeoip as:

Strict Transport Security (HSTS) | No

Thoughts?

 ➜  ~ curl -i https://geoip.mydomainhere.io/json/4.5.4.3
HTTP/2 200
content-type: application/json
strict-transport-security: max-age=15768000
vary: Origin
x-database-date: Tue, 26 Sep 2017 23:24:49 GMT
x-ratelimit-limit: 20000
x-ratelimit-remaining: 19999
x-ratelimit-reset: 3600
content-length: 194
date: Tue, 03 Oct 2017 05:28:05 GMT

{"ip":"4.5.4.3","country_code":"US","country_name":"United States","region_code":"","region_name":"","city":"","zip_code":"","time_zone":"","latitude":37.751,"longitude":-97.822,"metro_code":0}

➜  ~ curl -i https://geoip.mydomainhere.io
HTTP/2 404
content-type: text/plain; charset=utf-8
x-content-type-options: nosniff
content-length: 19
date: Tue, 03 Oct 2017 05:33:24 GMT

404 page not found

Answer 1 · 2017-10-03T20:17:51.000Z

I think this is an easy fix. Will give it a shot and update this soon.

Answer 2 · 2017-10-04T10:31:54.000Z

989e6d4 should fix this. Releasing 3.4.1 now.

Answer 3 · 2017-10-04T10:43:25.000Z

https://github.com/fiorix/freegeoip/releases/tag/v3.4.1 is out. Let me know if you have any troubles.