AnsweredAssumed Answered

HSTS and HTTP/2

Question asked by Enrico Pelletta on Jul 31, 2018

I'm testing HTTP/2 support in our system, and I got confused by a detail regarding HSTS.

 

We have been using HSTS on HTTP/1.1, but our proxy/LB solution does not set HSTS headers when HTTP/2 is used. I believe the point is HTTP/2 (At least on all common implementations) only runs on TLS. I tested with Qualys SSL Lab scan some of the HTTP/2 enable sites (with no HSTS headers on HTTP/2) and they still get A+ (HSTS is reported enabled since works on HTTP/1.1). However HSTS idea is to prevent clients using under any circumstances clear-text communication on secure sites. Thus, unless HSTS is implicitly defined in HTTP/2, I can still see the possibility of force downgrading to HTTP/1.1 and then impose HTTP (no TLS)...

 

I have looked a bit around, but I could find no tips, neither I manage to get more info from HTTP/2  RCF, but I may simply have failed to understand. I wonder if anyone in the community has more experience about, or SSL Lab test have recommendation about that I may have missed...

 

Regards

Outcomes