Hello there,
I’m using the standard installation.
This is what I modified in app.yml:
hooks:
## Add Let's Encrypt cert for non-www and www domain name
after_ssl:
- replace:
filename: "/etc/runit/1.d/letsencrypt"
from: /--keylength/
to: "-d example.com -d www.example.com --keylength"
Hostname for your Discourse is: www.example.com
So far the setup works and the cert is delivered for example.com and www.example.com.
But when I check SSL parameter with SSLLabs the HSTS header is missing for domain www.example.com. For example.com it is working:
Strict Transport Security (HSTS) Yes
max-age=31536000; includeSubdomains; preload
And Hardenize (www.hardenize.com) says the following:
Redirection from HTTP to HTTPS not to the same host
When HSTS is used, the plaintext port should redirect to the HTTPS variant of the same hostname. This approach ensures that HSTS is enabled on that hostname, even if later the client is sent elsewhere. A redirection to another host is only safe if it is for a parent host that has HSTS with includeSubDomains enabled, but that’s not the case here.
Starting point:
http://example.deCurrent redirection:
https://www.example.comExpected redirection:
https://example.com
Policy not preloaded
When hostname is preloaded, that means that browsers embed your HSTS policy and apply it even to the first request sent to your web site. This server indicates preloading in its policy, but the domain name isn’t actually preloaded. We classify this as a warning because it’s a common problem to place the ‘preload’ keyword in the policy even though the infrastructure is not ready for preloading. This is dangerous because, in this situation, anyone can submit this domain name for preloading just by visitinghstspreload.org.We recommend that you either preload this domain name yourself—if it’s ready—or remove the preloading indicator from the policy until it is ready.
Any ideas why the HSTS header is NOT set for www.example.com domain?