HSTS header not set with www and non www setup

Hello there,

I’m using the standard installation.

This is what I modified in app.yml:

## Add Let's Encrypt cert for non-www and www domain name   
    - replace:         
        filename: "/etc/runit/1.d/letsencrypt"         
        from: /--keylength/         
        to: "-d example.com -d www.example.com --keylength"

Hostname for your Discourse is: www.example.com

So far the setup works and the cert is delivered for example.com and www.example.com.

But when I check SSL parameter with SSLLabs the HSTS header is missing for domain www.example.com. For example.com it is working:

Strict Transport Security (HSTS) Yes
max-age=31536000; includeSubdomains; preload

And Hardenize (www.hardenize.com) says the following:

Redirection from HTTP to HTTPS not to the same host

When HSTS is used, the plaintext port should redirect to the HTTPS variant of the same hostname. This approach ensures that HSTS is enabled on that hostname, even if later the client is sent elsewhere. A redirection to another host is only safe if it is for a parent host that has HSTS with includeSubDomains enabled, but that’s not the case here.

Starting point: http://example.de

Current redirection: https://www.example.com

Expected redirection: https://example.com

Policy not preloaded
When hostname is preloaded, that means that browsers embed your HSTS policy and apply it even to the first request sent to your web site. This server indicates preloading in its policy, but the domain name isn’t actually preloaded. We classify this as a warning because it’s a common problem to place the ‘preload’ keyword in the policy even though the infrastructure is not ready for preloading. This is dangerous because, in this situation, anyone can submit this domain name for preloading just by visiting hstspreload.org. We recommend that you either preload this domain name yourself—if it’s ready—or remove the preloading indicator from the policy until it is ready.

Any ideas why the HSTS header is NOT set for www.example.com domain?

1 Like

Interesting, I recently made the migration to the www subdomain and my apex is lacking HSTS, but I wonder if it’s something to do with the redirect and lack of direct server response? The apex still gets an (albeit lesser) ‘A’ rating … would this hit server reputation, SEO? Things are definitely functioning ok without it.

Don’t know if this is useful?:

You’ll need to look more carefully at the web.template.yml and the resulting nginx config files and then add stuff to get nginx do what you want.

1 Like