Solved! CloudFlare config: Cómo comprender HSTS (HTTP Strict Transport Security)
We would appreciate it you share some additional details regarding your server/domain/settings, e.g.
We would appreciate it you share some additional details regarding your server/domain/settings, e.g.
I have checked two of my websites (one of them is connected to Cloudflare) with laptop's browser (and with at least two online tools) and do not found doubled HSTS headers.
- What OS and Plesk versions are used?
- What version of SSL It! is installed?
- Do you use Cloudflare or something similar in front of a website?
- What other headers present in the server's response? URL?
- How do you check headers, what tool / online resource?
Thanks Peter, I don't use any php, I use just .NETMaybe added by an additional directive in either the web server configuration page or by an entry in .htaccess?
I can't find it either. The isn't any Strict-Transport-Security header when I debug on development envorinment. And also, I have added almost all headers as I said before and I don't add Strict-Transport-Security on the dev. It's just added in the product environment in a way I don't understand.I don't understand where the first value comes from
@AYamshanov
This issue is current today:
We would appreciate it you share some additional details regarding your server/domain/settings, e.g.
What OS and Plesk versions are used? --> Ubuntu 22 and Plesk Obsidian v18.0.61
What version of SSL It! is installed? --> 1.15.3-3574
Do you use Cloudflare or something similar in front of a website? --> No.
What other headers present in the server's response? URL? --> Please see attached text file. (edit: Plesk forum doesn't allow text uploads. Picture attached. )
How do you check headers, what tool / online resource --> HTTP Header and Status Checker
Edit: We have not put in place any special tweaks to the plesk code, simply used the SSL it! Extension standard interface.
Interestingly, querying without "www" showed this:myhost:~# curl -s -IXGET Example Domain | grep strict
strict-transport-security: max-age=63072000; includeSubDomains
strict-transport-security: max-age=63072000; includeSubDomains
myhost:~# curl -s -IXGET Example Domain | grep strict
strict-transport-security: max-age=63072000; includeSubDomains
myhost:~# grep strict /var/www/vhosts/system/example.com/conf/httpd.conf
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
It appears that this behavior is observed when the Redirect from http to https option is disabled and HSTS is enabled.
The development team confirmed that this is a bug. An internal task has been created and the bug is with ID: EXTSSLIT-2167.
Until the bug is fixed, one of the following two workarounds can be applied:
1) Enable the Redirect from http to https option in Domains > example.com > SSL/TLS Certificates.
2) Manually enable HSTS via additional HTTPS settings, for example:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"