hstspreload.org | : lock : Chromium 's HSTS preload list submission website | Browser Plugin library
kandi X-RAY | hstspreload.org Summary
kandi X-RAY | hstspreload.org Summary
This folder contains the source for the HSTS preload list submission website at hstspreload.org. See github.com/chromium/hstspreload for the core library that checks websites against the submission requirements.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of hstspreload.org
hstspreload.org Key Features
hstspreload.org Examples and Code Snippets
Community Discussions
Trending Discussions on hstspreload.org
QUESTION
I'm following the instructions to install Nextcloud on an nginx server. I copy the configuration from the offical documentation, i set my server name and my ssl certificate path, and when i try to reach nextcloud from my browser i get
"500 Internal server error".
When i check in the error.log i get
rewrite or internal redirection cycle while processing "/index.php"
This is my configuration file:
...ANSWER
Answered 2020-Apr-27 at 15:05I solved the issue by re-uploading the configuration file via ftp, pasting it in nano on the ssh shell was a bad idea!
QUESTION
I've searched for this problem, but haven't get solution yet.
I have Nextcloud installed on https://example.com/nextcloud
.
Yesterday I installed Seafile, that works on https://example.com
(I simply don't know, how to make it accessible from, for example, https://example.com/seafile
)
While I was setting it, Nextcloud was switched off by deleting link to corresponding file in sites-enabled
directory. Seafile worked. But when I enabled Nextcloud, I got error 403 forbidden
trying to access Seafile. I also enabled info
level in Nginx and there I got next message:
ANSWER
Answered 2020-Feb-02 at 11:18As said Lars Stegelitz, I have to run these services on different ports. I did that and now Nextcloud runs on 445 port, at the same time Seafile on 443. I've added location /nextcloud
and there is directive proxy_pass https://192.168.1.134:445
;
Here are my updated configs.
seafile.conf:
QUESTION
I want to use https:// and non www. URL always. So I used the following code in my htaccess file. But i am getting an warning from https://hstspreload.org
...ANSWER
Answered 2017-Jul-10 at 23:08The issue is your are sending the header when the user is connected using HTTP
If you want to force them to use HTTPS
, perform a redirect first like this.
QUESTION
I would like to redirect for http to https and use hsts
https://hstspreload.org/
(test failed)Error: No HSTS header
Response error: No HSTS header is present on the response.
At the same time how can I redirect and hsts setting?
P.S I have set up load balancing with aws ssl certificate and elb.
/etc/nginx/conf.d/default.conf
...ANSWER
Answered 2018-May-08 at 21:45You haven't given enough information as to your set up, but I can take a guess at what is going on.
I would guess you you are offloading your SSL at your ELB and sending plaintext HTTP messages to Nginx with the HTTP_X_FORWARDED_PROTO
header set to the original scheme.
So if the user goes to https://www.example.com then it offloads the SSL/TLS and directs traffic to http://www.example.com with the HTTP_X_FORWARDED_PROTO
set to "https". In this scenario there is no redirect (as user is already using HTTPS) but also no HSTS header (as user is not using HTTPS to nginx and you only set that header in your 443 server config). You should add this to your port 80 server to also serve the HSTS header for this scenario:
QUESTION
https://hstspreload.org/ suggests that there should be 2 redirects with :
I implemented the 2 redirect solution using below code in .htaccess file :
...ANSWER
Answered 2019-Jun-27 at 23:04If you go direct in one step:
QUESTION
I'm looking for a solution with Prestahop 1.7.2 with Nginx server.
I tried dozens of possible solutions, including the official, but all stop working at the time I activate the store with more than one language.
...ANSWER
Answered 2019-May-22 at 18:15This works for me:
QUESTION
While reading through https://hstspreload.org I noticed in section "Deployment Recommendations" that I should "Add the Strict-Transport-Security header to all HTTPS responses...".
Because of including HSTS-policy to all https responses sounds overkill to me, I examined a few websites to check if they really all include this header field in all their https responses. But not even google is doing it, e.g. https://www.google.com/doodles has no Strict-Transport-Security header field in the response.
So my question is when should a server response include HSTS-policy?
The options I see here are:
- include HSTS in every https response.
- include HSTS in every security relevant https response.
- include HSTS only for e.g. example.com but not for any paths like example.com/mypath
- I mean sooner or later they gonna visit example.com anyway, no?
- include HSTS only if request has "upgrade-insecure-requests: 1" field
- I noticed that Chrome is sending this request header field in security relevant stuff if HSTS was not set.
ANSWER
Answered 2018-Oct-02 at 07:13I don’t think it’s overkill to add it to every resource. It’s a very small header and ensures the best change of the HSTS policy being seen.
Many people even load a pixel from the base domain (e.g. www.example.com can load https://example.com/1pixel.png) to ensure the base domain HSTS policy is loaded as well. If you configure HSTS to only be delivered on documents then this is not picked up.
I certain would not include it only on the home page. That’s not a valid assumption to say that sooner or later they visit it.
What’s your concern here? You have a super optimised site that will be killed by serving this header with each resource? For CSP I’d understand where you were coming from as that header can get very large but for HSTS I really think you’re over thinking this. Also if using HTTP/2 then header compression solves this too. Plus the config needed to only return it on some resources would be added complexity and hassle you don’t really need.
QUESTION
I was testing my website here https://hstspreload.org and I got this error:
Error: HTTP redirects to www first
http://example (HTTP) should immediately redirect to https://example (HTTPS) before adding the www subdomain. Right now, the first redirect is to https://www.example. The extra redirect is required to ensure that any browser which supports HSTS will record the HSTS entry for the top level domain, not just the subdomain.
As far as I can understand, the redirect, to be valid, should be done this way:
- http://example (this is what the user enters in the address bar)
- https://example (first redirect, to HTTPS)
- https://www.example (second redirect, to subdomain www)
At the moment, this is my htaccess
code causing the redirect:
ANSWER
Answered 2018-Sep-11 at 07:29Summary of the comments:
- Configuration in httpd.conf and .htaccess is read top to bottom.
- For RewritRules, they are applied in sequence, top to bottom, until you reach the last one. All rules that match the condition are applied.
- To prevent that, you can add the
[L]
tag to a RewriteRule. This tag says to Apache that it was the last rule to apply if it matches the conditions. All further rules are ignored for this request.
The sequence of rewrites here is:
- the client requests
http://example.com
- A RewriteRule redirects the client to
https://example.com
- The client comes back with
https://example.com
- A second RewriteRule redirects the client to
https://www.example.com
- The client comes back with
https://www.example.com
- No Rewriterule applies, Apache responds to the request.
Why do it this way? It covers all cases. If a client's first request is already https://example.com
, the scenario above will start at step 4.
A sample configuration could look like:
QUESTION
Let me explain a real world situation here.
I run the website https://www.liloo.ro and I want to enable HSTS (+HSTS preload) for it.
The problem is that in order to submit it to the preload list the main domain has to respond with a HSTS header.
Let me be more precise: In order to submit a site to the preload list and meet the requirements the first redirect has to be to the https version of the main domain.
In my case I can't redirect from http directly to https + www -> I have to redirect first from http to https (serve the main domain name HSTS header here) and redirect once again to https + www
This poses a huge redirect dilution SEO problem (not to mention the fact that chained redirects are not ideal).
So each way I look at this I either have to give up on HSTS preload list or use chained redirects. Neither option looks ideal.
The only possible workaround might be something from the preload list requirements but I don't quite understand what it means:
If you are serving a redirect, that redirect must have the HSTS header, not the page it redirects to.
As far as I know there is no way to serve such thing as a HSTS header when doing a redirect ... but maybe I'm wrong. Any ideas how to solve this issue? ... or should I give up on HSTS preload list altogether because my site is www only?
I can't just switch from www to non-www at this point... I know it would have been the "easy" solution.
Any idea - much appreciated. I noticed this thread Adding HSTS http headers on domain root during redirect to www subdomain in web.config ...but I doubt it solves the issue (+ I'm using nginx)
...ANSWER
Answered 2018-May-18 at 15:54I am really thankful you posted this, because I have exactly the same issue, i.e., http://DOMAIN
redirects directly to https://www.DOMAIN
, combining the redirect to HTTPS and the one to the www
subdomain.
I know it would have been the "easy" solution.
Note that there are reasons to use a subdomain like www
, as has been discussed on several occasions already, and so this choice is completely understandable.
However, HSTS has no way (at least not yet) to combine the two redirects: It can only forward directly to HTTPS. I suppose that if the HSTS preload site detects that this is not what the plain HTTP server itself does, then enforcing a "307 internal redirect" to just HTTPS is not admissible. (As far as I can tell, this requirement is not explicitly stated on hstspreload.org, but can only be found out by actually trying to set up the HSTS preload.)
I have no full answer to your question, but I can provide a bit more information on a few points you raise:
If you are serving a redirect, that redirect must have the HSTS header, not the page it redirects to.
Please note the exact (current) quote from hstspreload.org:
If you are serving an additional redirect from your HTTPS site, that redirect must still have the HSTS header (rather than the page it redirects to).
This is relevant for the following point:
As far as I know there is no way to serve such thing as a HSTS header when doing a redirect ...
It is completely possible that a HTTP redirect response also has an HSTS header. This only means that the HTTP redirect response also contains a Strict-Transport-Security
header field with suitable parameters. For example, using SWI-Prolog as HTTP server, you can emit such responses like this:
QUESTION
I am trying to finalize HSTS compliance and am a Web guy but this is over my head.
My current .htaccess is:
...ANSWER
Answered 2018-Feb-02 at 20:38You can have your redirects like this:
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install hstspreload.org
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page