AnsweredAssumed Answered

Server provided more than one HSTS header?

Question asked by Iain Hunneybell on Apr 28, 2019
Latest reply on May 3, 2019 by j-mailor

I operate a service that redirects defensively registered domains to a principal domain. On checking SSLLabs I note:

 

Strict Transport Security (HSTS)Invalid   Server provided more than one HSTS header

That seems pretty straightforward and indeed I was setting an HSTS value of 31536000 (one year) while the principal site, hosted by another service provider, is setting:

  Strict-Transport-Security: max-age=15768000

which is 6 instead of 12 months. So I set the redirect to use the same value, as in...

http://defended-example.co.uk
Host: defended-example.co.uk GET: HTTP/1.1 301 Moved Permanently
Strict-Transport-Security: max-age=15768000
Location: https://www.example.co.uk

 

GET: HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8
Strict-Transport-Security: max-age=15768000

So now both values match, yet I still get this 'more than one HSTS header' error. Why?

 

Indeed, the defended domain, which I was testing, only sends one response and so the 'more than one HSTS header' is impossible from that site as there is only one request/response. This suggests the 'error' spans multiple sites and follows the redirect chain seeing different HSTS policies between the defended and principal domain, but then after making the defended and principal domain set identical HSTS values, I still see the same issue???

 

What's going on and how do I 'fix' this error ... or is it a bug?

Outcomes