I operate a service that redirects defensively registered domains to a principal domain. On checking SSLLabs I note:
|Strict Transport Security (HSTS)||Invalid Server provided more than one HSTS header|
That seems pretty straightforward and indeed I was setting an HSTS value of 31536000 (one year) while the principal site, hosted by another service provider, is setting:
which is 6 instead of 12 months. So I set the redirect to use the same value, as in...
Host: defended-example.co.uk GET: HTTP/1.1 301 Moved Permanently
GET: HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8
So now both values match, yet I still get this 'more than one HSTS header' error. Why?
Indeed, the defended domain, which I was testing, only sends one response and so the 'more than one HSTS header' is impossible from that site as there is only one request/response. This suggests the 'error' spans multiple sites and follows the redirect chain seeing different HSTS policies between the defended and principal domain, but then after making the defended and principal domain set identical HSTS values, I still see the same issue???
What's going on and how do I 'fix' this error ... or is it a bug?