AnsweredAssumed Answered

HSTS-Header not honored by SSLLabs

Question asked by wafh on May 11, 2014
Latest reply on May 12, 2014 by wafh

Hi everybody,

 

got a website running where HSTS-Header is definitely set but ssllabs show HSTS (no)?

 

root@gm:~# curl -I http://www.isar-toner.de -k

HTTP/1.1 302 Found

Connection: close

Content-Type: text/html

Location: https://www.isar-toner.de/

 

 

root@gm:~# curl -I https://www.isar-toner.de -k

HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 96795

Content-Type: text/html; charset=utf-8

Vary: Accept-Encoding

Server: Microsoft-IIS/7.5

Set-Cookie: ASP.NET_SessionId=uo2exuhbxzsavlbp5dmrf4me; path=/; HttpOnly

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 12 May 2014 06:23:41 GMT

Strict-Transport-Security: max-age=31536000

 

Strict Transport Security (HSTS)No

 

Any Ideas what's wrong?

 

Thanks,

Wayne

Outcomes