AnsweredAssumed Answered

Strict Transport Security header

Question asked by Clerkendweller on Nov 25, 2010
Latest reply on Nov 25, 2010 by Clerkendweller

Using SSl Labs, I looked at a few sites with Strict-Transport-Security enabled, and they don't all seem to be being marked as "Yes" in SSLLabs e.g. a PayPal server:

 

Date: Thu, 25 Nov 2010 11:24:19 GMT
Server: Apache
Cache-Control: private
Pragma: no-cache
Expires: Thu, 05 Jan 1995 22:00:00 GMT
Set-Cookie: .....
Apache=10.190.11.249.1290684259289247; path=/; expires=Sat, 17-Nov-40 11:24:19 GMT
Vary: Accept-Encoding
Content-Encoding: gzip
Strict-Transport-Security: max-age=500
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

 

200 OK

 

In SSL Labs:


  https://www.ssllabs.com/ssldb/analyze.html?d=www.paypal.com&s=66.211.169.66
  Strict Transport Security     No

 

I realise these two might not be the same server, but I would imagine PayPal have this header on all their servers?  I also get the impression, that some data (e.g. header signature) are being cached in SSL Labs, even when "Clear cache" is selected, and wonder if this is related.

Outcomes