New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issues checking HSTS on .gov #15
Comments
Perhaps related -- if not, I'll spin off a separate ticket. But Here's the
Neither root nor |
|
It looks like it's following the redirects to I request
What would you expect it returns? Would you ever want to know about 1, 2, and 3? |
Well, this situation isn't any of those 3, because in this case, For 2 -- I do expect the root and for For 3, where it goes to a non- However, HSTS is special -- it doesn't care about any of these redirects, because HSTS is in place primarily to protect users from redirects. HSTS only applies to the exact domain it's specified for -- so if:
Then
Right now, despite including subdomains and indicating a willingness to be preloaded, This may be an example of where |
For at least this case -- here's the curl --head result for bfelob.gov:
Both redirect to bfelob.max.gov. But I'm interested in the HSTS header for bfelob.gov. The HSTS header differs between the root and the
www
subdomain.When I use site-inspector, the header it captures for HSTS is the one for
www
-max-age=86400
. This incorrectly doesn't detect that the root is fully HSTS preload enabled.I can dig in, but -- any ideas?
The text was updated successfully, but these errors were encountered: