I configured my site for HTTP Strict Transport Security (HSTS) a while back and being satisfied it was all running OK I figured it was about time I configure my site to be preloaded in popular browsers. When I went to the hstspreload.org website to submit my site I received an interesting message –
Unnecessary HSTS header over HTTP Warning – basically my htaccess file is setting the HSTS header on all requests and this should not be sent over an HTTP channel. I went digging around to see what the easiest and best way to resolve this would be and found a nice environment variable: env=HTTPS
My htaccess HTTP header initially looked like this –
Header always set Strict-Transport-Security "max-age=31536000; preload; includeSubDomains"
The new environment variable was added to this existing header to give me the following final output –
Header always set Strict-Transport-Security "max-age=31536000; preload; includeSubDomains" env=HTTPS
Note that the variable is outside the quoted ” ” section of the HTTP header. Once I saved my file and checked the preload site again I was thankful to see everything now showed as expected.
With all being good in the world I submitted my site and now all I have to do is make sure things stay over HTTPS at all times, which honestly won’t be hard as I have no intention of using HTTP.
Recheck your domain again as I see “Error: Max-age too low
The max-age must be at least 31536000 seconds (≈ 1 year), but the header currently only has max-age=15552000.” while scanning your website URL.
Thanks for coming to Gondors aid Rohan, looks like my Cloudflare setting was different to my htAccess file. This should be updated in the next hour or so and show a 12 month value again.
Hi :-)
Thank you :-)
I have included the “env=HTTPS” part but it is still giving the error: https://hstspreload.org/?domain=qliving.com
Want to do? :-)
Hi, could you post that section of your file so I can see how it’s formatted? I’m sure we can figure it out :)
The value is:
Header always set Strict-Transport-Security “max-age=63072000; includeSubDomains; preload” env=HTTPS
That ‘Header’ entry looks ok to me – in fact other frequently used sites to test all seem happy with it as well. Interestingly the HSTS preload site thinks you don’t have a HTTP>HTTPS redirect in place. It looks like you do though so I’m curious why it is flagging that. When I check the site this is what it shows me –
Error: HTTP redirects to www first
`http://webkonsulenter.dk` (HTTP) should immediately redirect to `https://webkonsulenter.dk` (HTTPS) before adding the www subdomain. Right now, the first redirect is to `http://www.webkonsulenter.dk/`. The extra redirect is required to ensure that any browser which supports HSTS will record the HSTS entry for the top level domain, not just the subdomain.
Error: Insecure redirect
`https://webkonsulenter.dk` redirects to an insecure page: `http://www.webkonsulenter.dk/`
How do you have your redirect setup at the moment, are you going through a CDN or just direct to your host site?
worked perfectly for me, thank you for that header. I spent a long long time looking for the answer to this and now I am going green.
Glad I could help Clive, always nice to know others have benefitted from blog posts :)