I ran the SSL Server Test on my server and received an A score; however, I'm confused as to why the test result for Strict Transport Security (HSTS) is "No."
curl -I http://xxx.xxx.com yields the following result (as expected, no HSTS on http):
HTTP/1.1 301 Moved Permanently
Date: Thu, 10 Apr 2014 19:51:33 GMT
curl -I https://xxx.xxx.com yields the following (all seems fine):
HTTP/1.1 200 OK
Date: Thu, 10 Apr 2014 19:53:56 GMT
Last-Modified: Wed, 19 Feb 2014 05:37:31 GMT
Strict-Transport-Security: max-age=31536000; includeSubdomains
I am missing some nuance here. Curl shows that HSTS is working, but the SSL Server Test does not agree.
What am I missing?
Thanks for your help!