trailofbits/twa

Incorrect MEH rating on the Strict-Transport-Security test

Ippo343 opened this issue · 1 comments

Using twa at commit 30e704b I get an incorrect "MEH" rating on the Strict-Transport-Security test.
However I configured my site to send the includeSubdomains; preload; options.

$ curl -I https://wikipiedi.it
[...]
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload;
[...]

But:

$ ./twa wikipiedi.it
Connection to wikipiedi.it 443 port [tcp/https] succeeded!
PASS(wikipiedi.it): HTTP redirects to HTTPS using a 301
PASS(wikipiedi.it): max-age is at least 6 months
MEH(wikipiedi.it): Strict-Transport-Security, but no includeSubDomains
MEH(wikipiedi.it): Strict-Transport-Security, but no preload

Thanks for the report! I'll look into this tonight.