AnsweredAssumed Answered

Server sends HSTS twice SSL Labs reports none

Question asked by Valérie Martin on Oct 25, 2016
Latest reply on Nov 11, 2016 by Bhushan Lokhande

Compare SSL Server Test: www.targobank.de (Powered by Qualys SSL Labs) to:

curl -I https://www.targobank.de/
HTTP/1.1 403 Forbidden
Date: Tue, 25 Oct 2016 09:50:39 GMT
Strict-Transport-Security: max-age=31536000
Strict-Transport-Security: max-age=31536000
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1

 

curl shows two Strict-Transport-Security headers whereas SSL Labs reports;

Strict Transport Security (HSTS)No

There's definitely something bogus in this server configuration but SSL Labs behaviour is somewhat odd too, should it signal headers that appear more than once?

Outcomes