AnsweredAssumed Answered

HSTS Security

Question asked by Graham Horne on Apr 2, 2015
Latest reply on Apr 7, 2015 by Graham Horne

I am afraid I dont get this. I have working on it for a few days and the server seems to be working as expected.  I get an A- rating and I can accept that as I am only using Apache 2.4.6 which does not support all the eliptical ciphers for perfect forward security that MS require and I have not turned on public key pinning because I will change certificates shortly. I accept the downgraded to be able to support some browsers (MS IE).  Not an MS friend I am afraid.

 

My site is www.identitylabs.uk and I checked it all out from an off-site server and the results are below. As you can see all requests in HTTP to the domain with or without WWW are 301 redirecting to the HTTPS site. As soon as you test the HTTPS sites they reply with the Strict-Transport-Security HEADERS set to what appers correct.  What am I missing here?

 

Troubled

Graham

 

[maint@lonsrv01 ~]$ curl -I http://identitylabs.uk

HTTP/1.1 301 Moved Permanently

Date: Thu, 02 Apr 2015 13:45:59 GMT

Server: Apache

Location: https://www.identitylabs.uk/

Content-Type: text/html; charset=iso-8859-1

 

[maint@lonsrv01 ~]$ curl -I http://www.identitylabs.uk/

HTTP/1.1 301 Moved Permanently

Date: Thu, 02 Apr 2015 13:46:06 GMT

Server: Apache

Location: https://www.identitylabs.uk/

Content-Type: text/html; charset=iso-8859-1

 

[maint@lonsrv01 ~]$ curl -I https://identitylabs.uk/

HTTP/1.1 302 Found

Date: Thu, 02 Apr 2015 13:46:15 GMT

Server: Apache

Strict-Transport-Security: max-age=31536000; includeSubDomains

X-Frame-Options: DENY

X-Content-Type-Options: nosniff

X-XSS-Protection: 1; mode=block

Location: https://identitylabs.uk/portal

Content-Type: text/html; charset=iso-8859-1

 

[maint@lonsrv01 ~]$ curl -I https://www.identitylabs.uk/

HTTP/1.1 302 Found

Date: Thu, 02 Apr 2015 13:46:26 GMT

Server: Apache

Strict-Transport-Security: max-age=31536000; includeSubDomains

X-Frame-Options: DENY

X-Content-Type-Options: nosniff

X-XSS-Protection: 1; mode=block

Location: https://www.identitylabs.uk/portal

Content-Type: text/html; charset=iso-8859-1

Outcomes