force redirect is not secure yet for HSTS

If this is a issue in DirectAdmin and you are a license holder you can submit issues/errors into their ticket system. I can put in a ticket if you want.

Otherwise you can open a feedback vote topic on their feedback page, just ask people to vote it here ;)
 
We are aware of that, you already stated that in post #3 and I repeated it in post #17. :)
But there was a chance somebody of DA seen it here and wanted/liked to comment on that. But anyone feel free to create a ticket if you want.
 
About my introduced terms 'early rewrite' and 'late redirect':

For me 'early' means the working rewrite to HTTPS by the DA panel before reaching any statement in .htaccess (eg http://www.webhostingtech.nl to https://www.webhostingtech.nl). The introduced and confusing name 'Force Redirect' in DA Panel was coded within the rewrite by DA panel.

This rewrite does not work for https://www.webhostingtech.nl to https://webhostingtech.nl, because the security headers only are respected for the previous url via HTTPS. Note: A browser like Chrome is not that critical.

Furthermore my workaround to use the longstanding redirect functionality for https://www.webhostingtech.nl to https://webhostingtech.nl is not a redirect 'late' enough. It is written by DA Panel at the bottom of .htaccess, so a security header on httpd webserver level is not read, and the test of internet.nl will not determine this security header.

I think this should clarify analysis.
 
See that

I'm using NGINX and I just had to add this HTTP header

Code:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Furthermore, regardless of whether I put www or any subdomain, it still shows valid HSTS.
 
See that

I'm using NGINX and I just had to add this HTTP header

Code:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Furthermore, regardless of whether I put www or any subdomain, it still shows valid HSTS.
No i am not sure while you have to check all www non www http and https:

That is not how it is on apache and DA then nog good if used force redirect to https in dA

 
Back
Top