AnsweredAssumed Answered

HSTS shows in curl, but Not in SSLLabs Test

Question asked by Jess D on Apr 10, 2014
Latest reply on Jun 7, 2014 by Jess D

Hi All,

 

I ran the SSL Server Test on my server and received an A score; however, I'm confused as to why the test result for Strict Transport Security (HSTS) is "No."

 

curl -I http://xxx.xxx.com yields the following result (as expected, no HSTS on http):

 

HTTP/1.1 301 Moved Permanently

Server: nginx

Date: Thu, 10 Apr 2014 19:51:33 GMT

Content-Type: text/html

Content-Length: 178

Connection: keep-alive

Location: https://xxx.xxx.com/

X-Frame-Options: DENY

X-Content-Type-Options: nosniff

 

 

curl -I https://xxx.xxx.com yields the following (all seems fine):

 

HTTP/1.1 200 OK

Server: nginx

Date: Thu, 10 Apr 2014 19:53:56 GMT

Content-Type: text/html

Content-Length: 260

Last-Modified: Wed, 19 Feb 2014 05:37:31 GMT

Connection: keep-alive

ETag: "#######x-###"

Strict-Transport-Security: max-age=31536000; includeSubdomains

X-Frame-Options: DENY

X-Content-Type-Options: nosniff

Accept-Ranges: bytes

 

I am missing some nuance here.  Curl shows that HSTS is working, but the SSL Server Test does not agree.

 

What am I missing?

 

Thanks for your help!

 

steady

Outcomes