Webmasters Stack Exchange
Webmasters Stack Exchange

Questions tagged [hsts]

HTTP Strict Transport Security is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP.

17 questions
10
votes
4 answers

Do I need a wildcard SSL certificate for inclusion in the HSTS preload list?

I'd like to submit my personal site into the Chrome HSTS preload list. The site there says: In order to be included on the HSTS preload list, your site must: Have a valid certificate. Redirect all HTTP traffic to HTTPS - i.e. be HTTPS only.…
Kevin Burke
  • 417
  • 4
  • 11
9
votes
2 answers

HSTS Preload section on .htaccess

Recently having moved a site to SSL, I looked into enforcing HSTS for eventual preload. The syntax is approved and the Chrome List allows it to be OK. However, not being a coder at all, a slight problem arises. I have: php_value upload_tmp_dir…
Claverhouse
  • 91
  • 1
  • 2
8
votes
1 answer

Will implementing HSTS prevent Googlebot from seeing 301 permanent redirects from HTTP to HTTPS?

I did a migration from http:// to https:// for a big site with more than 2 million of URLs indexed on Google. As others have mentioned I'm also experiencing a bit of fluctuation on organic traffic (-10% as measured by Google Analytics). Things i did…
Jonathan Meyer
  • 337
  • 1
  • 6
6
votes
1 answer

HSTS affect on SEO

I do back-end work work for a couple of fairly knowledgeable people in the SEO field (i.e. not people off the street just claiming to be SEO experts). One of them is advising that HSTS improves SEO, while the other asserts it makes no difference. I…
davidgo
  • 8,560
  • 1
  • 21
  • 30
5
votes
2 answers

HSTS implementation in .htaccess when using www subdomain

Been looking at implementing HSTS in to one of our sites, hoping to validate it on the preload list. But I can't get my head around how it works with the www. Subdomain. Our site forces secure www.domain.com using this code in the htaccess. …
Randomer11
  • 598
  • 2
  • 9
4
votes
1 answer

ERR_TIMED_OUT when accessing S3 bucket by a custom domain that uses Route53

I have set up a static website by following this walkthrough: https://docs.aws.amazon.com/AmazonS3/latest/dev/website-hosting-custom-domain-walkthrough.html I can see the website by accessing its bucket address…
Ali Alavi
  • 93
  • 7
3
votes
1 answer

Removal from HSTS preload list?

A client has moved their website to another provider who does not support secure (HTTPS) browsing. The previous site was served over HTTPS and sent HSTS headers and was included on the Chrome HSTS preload list, so many browsers automatically attempt…
Andrew Lott
  • 5,914
  • 3
  • 25
  • 44
3
votes
3 answers

prefer (don't force) https but allow http on Linux (html, or wordpress)

So I have 2 websites with https/ssl working fine, but on some browsers typing a url without a protocol defaults to using http, despite them supporting https. I want clients to be redirected to https only if their browsers support it (so the usual…
Mousey
  • 408
  • 3
  • 17
2
votes
0 answers

CloudFlare and Avast strict transport

This weekend, we started using CloudFlare*. One of our users is reporting that Avast, the anti-virus software, has blocked our site due to a certificate error. Presumably this is because our certificate has changed -- we are now using the…
DMCoding
  • 161
  • 1
  • 8
2
votes
0 answers

Deploy HSTS including subdomains if main domain is www (no preloading yet)

I want to deploy HSTS for *.example.com but we don't have web content on example.com. Instead, www.example.com is our main site and we have hundreds of (partly unknown) subdomains, so we don't want to use HSTS preload right away (just in…
xsrf
  • 226
  • 1
  • 5
2
votes
1 answer

How do I get .app TLD to work with my .htaccess

I have a number of domains hosted on one server. I tried them as sub-domains but that was a failure. So I obtained new certificates and I have them configured as Add-On_Domains. They are all using the same template for .htaccess and are configured…
Rohit Gupta
  • 2,933
  • 3
  • 11
  • 28
2
votes
1 answer

When redirecting to another domain, to which domain will HSTS apply?

Assuming the following, what domain will be HSTS'ed for the next year, foo.com or bar.com? RTFM (RFC6797) doesn't help much. > GET / HTTP/1.1 > Host: foo.com [ ... ] < HTTP/1.1 301 Moved Permanently < Strict-Transport-Security: max-age=31536000;…
Yegor Gorshkov
  • 23
  • 2
1
vote
1 answer

Does HSTS includeSubdomains also include other ports on the subdomains?

Context I have a web application (SPA) that uses a http api at a subdomain and also a websocket server on a different port of the api domain. Example: https://example.com/ the web application https://api.example.com/ the http…
Lucas
  • 111
  • 3
1
vote
0 answers

HSTS and redirecting to www. sub domain

I am trying to setup HSTS for my website but running into some problems regarding the response headers and the use of a sub domain. What I would like is for all HTTP traffic to redirect to https://www.example.co.uk. I have been using the information…
Ross Hodgman
  • 21
  • 1
1
vote
0 answers

How long does Chrome take for HSTS preload list inclusion?

Assuming that my domain meets the inclusion requirements, and I successfully submit it to hstspreload.org, then: How long does it take on average until Chrome comes out with a new stable release with my domain preloaded? Is there an easy way to…
Maximillian Laumeister
  • 16,461
  • 3
  • 32
  • 63
1
2