• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved SSL It - HSTS appearing twice in headers

thinkingcap

Basic Pleskian
Thought I would try the SSL iT extension - when I enable HSTS it appears twice in returned headers.
Code:
strict-transport-security: max-age=15768000; includeSubDomains
strict-transport-security: max-age=15768000; includeSubDomains

Anyone else see same?

TIA
Dave
 
In config of my domain I see only following lines from SSLIt!

Code:
#extension sslit begin

        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;

        #OCSP Stapling
        ssl_stapling on;
        ssl_stapling_verify on;

        #extension sslit end
 
Yes, i can confirm that it sends double headers.

If the response comes from Nginx directly there is only one Strict-Transport-Security header (correct behaviour).
If Nginx acts as a proxy for a response coming from Apache then a second "Strict-Transport-Security" is added.

In the Apache config file i can see the following line:
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"

By running a test on SSL Labs i get the following errors:
"Server sent invalid HSTS policy. See below for further information."
"Strict Transport Security (HSTS) Invalid - Server provided more than one HSTS header"


Nginx is always involved to a response (proxy mode or not), so it should be the only one sending the Strict-Transport-Security header.

Examples:
----------------------------------------
XXXXXXXXX:~ xxxxxx$ curl -I https://xxxxxxxxxx.tld/test.jpg
HTTP/2 200
server: nginx
date: Sat, 01 Jun 2019 02:07:36 GMT
content-type: image/jpeg
content-length: 241765
last-modified: Fri, 23 Sep 2016 20:36:41 GMT
etag: "57e59259-3b065"
strict-transport-security: max-age=15768000; includeSubDomains
x-powered-by: PleskLin
accept-ranges: bytes
----------------------------------------
XXXXXXXXX:~ xxxxxx$ curl -I https://xxxxxxxxxx.tld/
HTTP/2 200
server: nginx
date: Sat, 01 Jun 2019 02:07:41 GMT
content-type: text/html
content-length: 3465
strict-transport-security: max-age=15768000; includeSubDomains
last-modified: Wed, 13 Feb 2019 22:40:23 GMT
etag: "d89-581ce3a382177"
accept-ranges: bytes
vary: Accept-Encoding
strict-transport-security: max-age=15768000; includeSubDomains
x-powered-by: PleskLin
----------------------------------------
 
Thank you for the information!
Yep, we confirm this as a bug. It will be fixed in one of the next releases of SSLit extension. Please refer to the following bug's ID: EXTSSLIT-462
 
Thank you for the information!
Yep, we confirm this as a bug. It will be fixed in one of the next releases of SSLit extension. Please refer to the following bug's ID: EXTSSLIT-462
Any update on this?
Also, where do we track Plesk bugs?
 
Hello, thank you for your patience! This bug is not resolved yet, but it is planned to be fixed in one of the next releases.
 
Great that this is now resolved - at least in Obsidian.
You can remove HSTS config from nginx config and just use the extension.
 
thx but here is not possible 1 year :( because the hstspreload.org say;

The max-age must be at least 31536000 seconds (≈ 1 year), but the header currently only has max-age=15768000.
 
I still have the same error, any solution?
Do you mean problem with double HSTS headers? This bug was fixed in SSLit! version 1.1.2. Could you please check which version of SSLit extension is installed on your server?
 
Do you mean problem with double HSTS headers? This bug was fixed in SSLit! version 1.1.2. Could you please check which version of SSLit extension is installed on your server?

Hello everyone!

My Strict-Transport-Security it's always "max-age=0; includeSubDomains; preload"

It doesn't matter what change you make in the HTST configuration in plesk or what lines you add to the nginx configuration, max-age it's always 0.

I've also tried different combinations of headers in the nginx config, like:

add_header Strict-Transport-Security "max-age=2592000;includeSubDomains;preload" always;

But no changes. Any idea?

Thanks!

1621982678758.png1621982702117.png
 
Back
Top