Input SSL It and HSTS Options

[LRLD]

Server operating system version

Ubuntu 20

Plesk version and microupdate number

18.0.55

Hi everyone,

the SSL It extension seems to check if you have already enabled OCSP, but it doesn't for HSTS, leaving a warning that security can be improved.
I had to add the HSTS header manually due to the lack of "preload" option when enabling through SSL It.
It would be really nice if we could have a "preload" checkbox like we have for "include subdomains" and "Apply to webmail".
Just a thought.

Kind regards

LD

 

[Peter Debik]

This sounds like a good idea. Would you want to put it on Feature Suggestions: Top (1892 ideas) – Your Ideas for Plesk, please? Then others can vote for it. Ideas with many votes have a chance to be included in a future Plesk version.

 

[Brapion]

If a website accepts a connection through HTTP and redirects to HTTPS then 'preload' prevents a man-in-the-middle attack as far as I understand, so the feature should not be an optional addon for people to vote for in the hope that one day it might get implemented.

I was also looking at hstspreload.org to check HSTS preload status and eligibility, I have SSL It! > redirect from http to https active and my domain in WP is using www., I added the HSTS manually as LD did.

hstspreload.org error;
Error: `http://domain.co.uk` (HTTP) should immediately redirect to `https://domain.co.uk` (HTTPS) before adding the www subdomain. Right now, the first redirect is to `https://www.domain.co.uk/`. The extra redirect is required to ensure that any browser which supports HSTS will record the HSTS entry for the top level domain, not just the subdomain.

Does anyone know how to resolve this issue?

Thanks in advance