Forum
Is it possible to send a HSTS disable via the server ?
Gilad
30 December 2014, 14:40
Hi Hugo,
I got a site with a redirect from https to http (thanks to you!).
Problem is that old clients still have the HSTS directive cached on their browser and I can's possible contact each visitor to ask them to clear it.
Is there a way to make the Hiawatha server send something like (in php): header("strict-transport-security: max-age=0");
That will cause the HSTS to be disabled? I need to find a way to disable it on clients via a server call.
I've already added RequireSSL = no, 0 to my virtualhost but that didn't help.
Any advice?
Hiawatha version: 9.9
Operating System: Ubuntu 12
I got a site with a redirect from https to http (thanks to you!).
Problem is that old clients still have the HSTS directive cached on their browser and I can's possible contact each visitor to ask them to clear it.
Is there a way to make the Hiawatha server send something like (in php): header("strict-transport-security: max-age=0");
That will cause the HSTS to be disabled? I need to find a way to disable it on clients via a server call.
I've already added RequireSSL = no, 0 to my virtualhost but that didn't help.
Any advice?
Hiawatha version: 9.9
Operating System: Ubuntu 12
Hugo Leisink
30 December 2014, 16:03
The ", 0" disables the header entirely. Try using "RequireSSL = no, 1" to set a low value. Don't know if that works, but it's worth trying.
Gilad
30 December 2014, 16:25
Thanks Hugo.
I just gave it a try but it doesn't seem to work :-(
Seems I'm stuck with those customers until the HSTS expires... Any idea what's the default time for it to expire?
I just gave it a try but it doesn't seem to work :-(
Seems I'm stuck with those customers until the HSTS expires... Any idea what's the default time for it to expire?
Hugo Leisink
30 December 2014, 16:28
The default in Hiawatha is a year. But what is exactly the problem with users connecting via HTTPS?
Gilad
30 December 2014, 18:11
A year? Oh man :-( That's really bad as I will lose customers.
The problem is that people that have the HSTS from our https version (before we added a redirect to http).
Get an infinite redirect loop on their chrome/firefox browsers:
On the first request, this happens:
Request URL:http://www.mysite.com/
Request Method:GET
Status Code:307 Internal Redirect
Request Headers:
Provisional headers are shown
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer:
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Response Headers:
Location:https://www.mysite.com/
Non-Authoritative-Reason:HSTS
After that, https://www.mysite.com/ redirects with a 301 to http://www.mylivesignature.com/ which redirects with a 301 back to https://www.mysite.com/
The problem is that people that have the HSTS from our https version (before we added a redirect to http).
Get an infinite redirect loop on their chrome/firefox browsers:
On the first request, this happens:
Request URL:http://www.mysite.com/
Request Method:GET
Status Code:307 Internal Redirect
Request Headers:
Provisional headers are shown
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer:
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Response Headers:
Location:https://www.mysite.com/
Non-Authoritative-Reason:HSTS
After that, https://www.mysite.com/ redirects with a 301 to http://www.mylivesignature.com/ which redirects with a 301 back to https://www.mysite.com/
Hugo Leisink
30 December 2014, 19:41
I don't think I understand all the redirects, but when done correctly, a HTTPS website should be the same as the HTTP version and visa versa.
Gilad
30 December 2014, 20:30
Yeah but as the site holds some external js code it doesn't act the same, hence the issue we're having.
Hugo Leisink
30 December 2014, 21:21
Then why did you enable RequireSSL for that site in the first place? You can't do much about the HSTS in your customer's browsers. So, your solution must be in fixing the redirections. Sorry I don't have the ultimate solution.
This topic has been closed.
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.
Built upon the Banshee PHP framework.
