Strict-Transport-Security does not work

  • Resolved jkling

    (@jkling)


    6 years, 5 months ago

    Hello,

    I use this tool to check security and privacy of my websites

    https://webbkoll.dataskydd.net/en/results?url=http%3A%2F%2Fserious-games.at%2F#headers

    Although I have this settings in the firewall

    Basic Policies:
    Enable NinjaFirewall for HTTPS traffic only

    Advanced Policies:
    Set Strict-Transport-Security 1 year

    I have got the result:
    Strict-Transport-Security NO and a red warning

    Only after I have added this into root/.htaccess

    <IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=15768000; includeSubDomains" env=HTTPS
</IfModule>

    I have got the result:
    Strict-Transport-Security YES, max-age=31536000, max-age=15768000; includeSubDomains

    max-age=31536000 must be the 1 year
    Any idea why the settings in the firewall alone did not work?
    Where do you save the information about the 31536000 seconds

    Best regrads
    Jürgen

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author nintechnet

    (@nintechnet)

    Hi,

    See this discussion: https://www.ads-software.com/support/topic/http-response-headers/
    You seem to have exactly the same problem.

    Thread Starter jkling

    (@jkling)

    Hi,

    the different approaches of the scanners may be an explanation.
    But is is still confusing, why in my case both values are shown or none.

    The results with .htaccess

    1) securityheaders.com
    Strict-Transport-Security max-age=31536000 (NFW value)
    Warnings There was a duplicate Strict-Transport-Security header

    2) https://www.htbridge.com
    The header is properly set.
    Strict-Transport-Security: max-age=15768000; includeSubDomains (htaccess value)

    3) observatory.mozilla.org
    Test Scores
    HTTP Strict Transport Security (HSTS) header cannot be recognized
    Raw Server Headers
    max-age=31536000, max-age=15768000; includeSubDomains (both)

    The results without .htaccess

    1)securityheaders.com
    Strict-Transport-Security max-age=31536000 (NFW value)
    No Warnings

    2) https://www.htbridge.com
    The header is properly set.
    Strict-Transport-Security: max-age=31536000

    3) observatory.mozilla.org
    Test Scores
    HTTP Strict Transport Security (HSTS) HTTP Strict Transport Security (HSTS) header set to a minimum of six months (15768000) CRAZY??? maybe some weird caching
    Raw Server Headers
    max-age=31536000

    /*** And finally the big surprise of the day ***/
    4) webbkoll.dataskydd.net
    Strict-Transport-Security YES, max-age=31536000

    Last time it failed. This failure was the reason for my request.
    My resumee: whatever a scanner tells you, NFW works ??

    Best regards
    Jürgen

    Plugin Author nintechnet

    (@nintechnet)

    The problem with those sites is that you don’t know what they are checking (static or dynamic files, or both etc). You’d probably need to check your HTTP server logs to find it out.

    I prefer to use the curl command, you get accurate results and you know what your are doing:

    $ curl -I https://nintechnet.com/index.php
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 28 Jun 2018 14:48:55 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
Strict-Transport-Security: max-age=15768000
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Strict-Transport-Security does not work’ is closed to new replies.