Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Investigate lack of HSTS on www.targobank.de #416

Closed
ivanr opened this issue Oct 26, 2016 · 1 comment

Comments

@ivanr
Copy link
Contributor

commented Oct 26, 2016

Reported on https://community.qualys.com/message/35167-server-sends-hsts-twice-ssl-labs-reports-none

There's a couple of things going on here. First, it seems that this web site doesn't like the SSL Labs user agent, because it's responding with 403. The same happens with curl. When responding with 403, it sends two HSTS headers, but SSL Labs is not reporting anything. This is the second problem. SSL Labs should process the first and warn about the presence of the second, per the HSTS RFC.

@ivanr ivanr added the bug label Oct 26, 2016

@bhushan5640

This comment has been minimized.

Copy link
Collaborator

commented Nov 11, 2016

Fix deployed on the Dev server. Adding following request header resolved the issue
Accept: /

We have warning for presence of more than one header
"Server provided more than one HSTS header"

@ivanr ivanr closed this Nov 15, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.