SOLVED OK what's the magick with HSTS ? it doesn't work

[rscalover]

Your server has to send a "Strict-Transport-Security" header with includesubdomains and preload directives included and redirecting all http traffic to https i do that but www.hstspreload.org says

error http does not redirect to https (that's a lie it does)
error no HSTS header (another lie that header is send)

so to redirect http to https i have this

RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule (.*) https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

and the header

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains;preload"

just curious why it is not working.

 

[cPRex]

Hey there! It sounds more like an issue with that testing tool than with your site. If you're seeing the headers manually and you can see the site actually redirecting in the browser, don't let an automated test steer you the wrong way.

I'm personally not familiar with that testing site, but here are two methods I have used before with good results: How to check if HSTS is enabled - SSL Certificates - Namecheap.com

 

[rscalover]

Hey there! It sounds more like an issue with that testing tool than with your site. If you're seeing the headers manually and you can see the site actually redirecting in the browser, don't let an automated test steer you the wrong way.

I'm personally not familiar with that testing site, but here are two methods I have used before with good results: How to check if HSTS is enabled - SSL Certificates - Namecheap.com

Well since hsts can cause your whole website to become inaccesible i'm just carefull that automated tool does display the green background (indicating everything is ok) and the submit button becomes enabled the test just causes doubt maybe i should contact them about it.

 

[cPRex]

Contacting them directly and seeing how they perform the test is also a good option.

 

[rscalover]

Contacting them directly and seeing how they perform the test is also a good option.

I think i found the cause of the issue the form at hstspreload.org connects to my website with useragent "Go-http-client" but i have a custom mod_security rule that detects strange useragents like that because they are often used by well bad guys and then if they exceed LF_MODSEC the ip is banned by csf.I can whitelist that ip however doing that allows the whitelisted ip todo anything they want i am to paranoid to trust strangers i wonder why they use such a strange useragent .

 

[cPRex]

Good catch!!!

 

[rscalover]

Hello,

It seems "Go-http-client" belongs to a programming language called "go" i don't know that language and have no experience with it whenever i need to process a form or make a request to an external resource i just use PHP with cURL i guess i am old fashioned http - The Go Programming Language it does make me curious you can mark this as solved