force redirect is not secure yet for HSTS

Imtek

Verified User
Joined
Dec 11, 2005
Messages
203
Location
The Netherlands
If this is a issue in DirectAdmin and you are a license holder you can submit issues/errors into their ticket system. I can put in a ticket if you want.

Otherwise you can open a feedback vote topic on their feedback page, just ask people to vote it here ;)
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
7,644
Location
Maastricht
We are aware of that, you already stated that in post #3 and I repeated it in post #17. :)
But there was a chance somebody of DA seen it here and wanted/liked to comment on that. But anyone feel free to create a ticket if you want.
 

JWST

Verified User
Joined
May 29, 2019
Messages
8
Location
Arnhem
About my introduced terms 'early rewrite' and 'late redirect':

For me 'early' means the working rewrite to HTTPS by the DA panel before reaching any statement in .htaccess (eg http://www.webhostingtech.nl to https://www.webhostingtech.nl). The introduced and confusing name 'Force Redirect' in DA Panel was coded within the rewrite by DA panel.

This rewrite does not work for https://www.webhostingtech.nl to https://webhostingtech.nl, because the security headers only are respected for the previous url via HTTPS. Note: A browser like Chrome is not that critical.

Furthermore my workaround to use the longstanding redirect functionality for https://www.webhostingtech.nl to https://webhostingtech.nl is not a redirect 'late' enough. It is written by DA Panel at the bottom of .htaccess, so a security header on httpd webserver level is not read, and the test of internet.nl will not determine this security header.

I think this should clarify analysis.
 
Top