force redirect is not secure yet for HSTS

[JWST]

Force redirect to the www subdomain or without www can be chosen.
Documented on https://www.directadmin.com/features.php?id=2365

Why is coding in Direct Admin not yet sufficient for HSTS and security headers on internet.nl?
I think the coding must be in two steps in order to be secure.

Note: In Plesk identical functionality works correctly.

Eg:
97%: https://internet.nl/site/www.webtechsolutions.nl/539788/
100%: https://internet.nl/site/webtechsolutions.nl/539790/

 

[JWST]

The recent functionality in DirectAdmin to force redirect to subdomain www. or without, is still unstable.

According to mail exchange with internet.nl:

- The HSTS header is detected at the first contact over HTTPS.
- When redirecting to another subdomain, the HSTS header must therefore be present on both subdomains.
- A redirect order applies to ensure that HSTS functions properly:
First from HTTP to HTTPS for the same subdomain;
Secondly over HTTPS, from one subdomain to the other;
Browsers do save the HSTS header per subdomain.

 

[Imtek]

HSTS is not really a part of that feature, i suggest you contact support with a ticket or open a feature request on the forum (https://forum.directadmin.com/forums/feedback-feature-requests.8/) or support ticket for including HSTS.

I feel this is still to complex/too much options for security headers in DirectAdmin there are too much options for these security headers for the interface to handle.

 

[ikkeben]

I do this in custom template / virtualmin host, can't explain 123 but this works.

The redirects of more control panels has problems with that parts.

 

[Imtek]

I do this in custom template / virtualmin host, can't explain 123 but this works.

The redirects of more control panels has problems with that parts.

We add the security headers in the Custom HTTPD rules on Admin Level, this works but for user level users this is not enough.

While a HSTS can be set through a .htaccess file also

And o, what a dutch people thread