https – Errors when checking eligibility for HSTS preload

I have this website set up:
http://website1.com/ – returns 301 Moved Permanently and redirects to http://www.website1.com/.

http://www.website1.com/ – returns 301 Moved Permanently and redirects to https://www.website2.com/.

https://www.website2.com/ – returns 200 OK and has this in the response:

strict-transport-security: max-age=31536000; includeSubDomains

I have this subdomain running a web app:
https://subdomain.website1.com/
This also has the following header in the response:

Strict-Transport-Security: max-age=31536000; includeSubDomains

I want to have preload functionality for all sub domains of website1.com/.
However, I get the following errors when checking eligibility:

Error: No HSTS header
Response error: No HSTS header is present on the response.

Error: HTTP redirects to www first
http://website1.com (HTTP) should immediately redirect to https://website1.com (HTTPS) before adding the www subdomain.
Right now, the first redirect is to http://www.website1.com/.
The extra redirect is required to ensure that any browser which supports HSTS will record the HSTS entry for the top level domain, not just the subdomain.

The first error is easy, I can just add the HSTS header.
But why does it matter that there’s a redirect?
All I want is for http://subdomain.website1.com/ to make an internal redirect to https://subdomain.website1.com/.

Can’t http://website1.com make an internal redirect to https://website1.com, regardless of the fact that it redirects to www.website1.com/?

web application – Is this HSTS HTTP Response Header Misconfigured?

I recently discovered during a penetration test that the HSTS was returned by the application but in this format:

“Strict-TransportSecurity”

Instead of:

“Strict-Transport-Security”

Does this format mean that the header (HSTS) is not validated by the client and prevented from doing what it is designed to do? As I understand HTTP headers are case insensitive but I’m not sure if this is a valid header name.

Any advice is greatly appreciated. Thank you

internet explorer – Will implementing HSTS cause parts of my website which use IE6 compatibility mode to break?

I am converting a legacy system designed for IE6 to work on modern browsers.

Those parts of the site which have not yet been converted, will only work on Internet Explorer, and the IE6 emulation is provided via the following tag.

<meta http-equiv="X-UA-Compatible" content="IE=5">

I am planning on adding HSTS to the site (via CloudFlare).
I see that HSTS is supported only for Internet Explorer 11 and higher.

Will adding HSTS cause those parts of my site which rely on IE6 emulation to break?

Warning: Unnecessary HSTS header over HTTP

we would like to add the HSTS header to our page https://www.wipfelglueck.de
Our page is running on a shared server, so we don’t have access to the httpd.conf. We tried to enable this header via the .htaccess file like this:

<ifmodule mod_headers.c>
  DefaultLanguage de
  Header set X-XSS-Protection "1; mode=block"
  Header set X-Frame-Options "sameorigin"
  Header set X-Content-Type-Options "nosniff"
  
  Header set X-Permitted-Cross-Domain-Policies "none"
  
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  
  Header set Referrer-Policy: no-referrer
  
  <FilesMatch ".(js|css|xml|gz)$"> 
    Header append Vary Accept-Encoding 
  </FilesMatch> 
   
  <filesMatch ".(ico|jpg|jpeg|png|gif|webp)$">
   Header set Cache-Control "max-age=2592000, public"
  </filesMatch>
  <filesMatch ".(css|js|json|html)$">
   Header set Cache-Control "max-age=604800, public"
  </filesMatch>
</IfModule>

When we check the page we receive the warning in subject with this text:
“The HTTP page at http://wipfelglueck.de sends an HSTS header. This has no effect over HTTP, and should be removed.”

I tried some ways to solve this, but was not successful so far. In the web I can’t find a solution, so I would be happy if you could give me a hint on this!

Thank you very much!!

tls – “google.com” is not HSTS protected?

Current situation

It is true that, as of Oct 2020, Google does not have HSTS on google.com, but only on www.google.com, and performs redirection first to www and then to https://. Even if there was a HSTS header on google.com, the browser would not see it and be able to cache it. Only www.google.com is protected by HSTS.

Best practices

It is also recommended as best practices by e.g. the Federal CIO Council, that:

In its strongest and recommended form, the HSTS policy includes all
subdomains, and indicates a willingness to be “preloaded” into
browsers:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload 

When using this form, bear in mind:

  • The policy should be deployed at https://domain.gov, not
    https://www.domain.gov.
  • All subdomains associated with the parent
    domain must support HTTPS. (They do not have to each have their own
    HSTS policy.)

OWASP HTTP Strict Transport Security Cheat Sheet adds (also noted in the RFC 6797, 14.4):

Cookies can be manipulated from sub-domains, so omitting the
includeSubDomains option permits a broad range of cookie-related
attacks that HSTS would otherwise prevent by requiring a valid
certificate for a subdomain. Ensuring the secure flag is set on all
cookies will also prevent, some, but not all, of the same attacks.

This can only be achieved by first redirecting to HTTPS.

Why?

However, we can only tell what would be better, but we cannot answer why some are not following these guidelines. Only Google knows why they have implemented it this way. It is not lack of knowledge and ability, as they have already done it for e.g. gmail.com, which currently is on the HSTS preload list.

You can get closest to your answer by reading Jay Brown’s Bringing HSTS to www.google.com from the Google Security Blog. From this article from July 2016 we can find out that it is intentional, due to the complexness of the huge site, and for backwards compatibility with legacy services.

Ordinarily, implementing HSTS is a relatively basic process. However,
due to Google’s particular complexities, we needed to do some extra
prep work that most other domains wouldn’t have needed to do. For
example, we had to address mixed content, bad HREFs, redirects to
HTTP, and other issues like updating legacy services which could cause
problems for users as they try to access our core domain.

This process wasn’t without its pitfalls. Perhaps most memorably, we
accidentally broke Google’s Santa Tracker just before Christmas last
year (don’t worry — we fixed it before Santa and his reindeer made
their trip).

audit – Cookie secure flag with HSTS

We have a portal and try to win a big corporate Client.

Our Pentest showed that we don’t have secure flag on an authentication cookie.

We use HSTS however. With preload.

In latest Chrome, it looks good. In Firefox browser sends cookie over HTTP when requested.

Is this a security issue? Compliance? GDPR?

Will this be a blocker for a corporate Customer win?

Best if folks with experience with audits by big corporations help here, answer here.

I know it is an issue, with FF.

Will this be seen very bad? Be a deal breaker?

Bonus point for info with other Browsers i.e Edge, IE and how to possibly fix FF behavior.

Thanks,

How to stop Safari on macOS from using https when I want http, when it’s not in the HSTS listing

I believe I have figured it out:

The site is an .app domain, e.g. domain.app. And those sites are by definition https-only. See here.

So, it’s still HSTS related, but not on an individual site but for the entire “.app” TLD. And for that reason I could not find the specific domain name listed in HSTS, not would deleting the HSTS.plist help.

Well, not sure if I should keep this question up. Maybe it helps others that run into this.

Background: It was my own site. I moved it, along with others, to a new server, and need to verify that they work with plain http. So I tested every site in http, and all but this one worked. So I assumed something wrong with the browsers.

And not only Safari but also Firefox and Chrome want to do https only.

Strangely, though, using other way to request the http site, such as the low level command wget, do not enforce the https requirement (they don’t know about it, obviously), hence it misguided me into thinking the problem was a latent browser setting that I could fix.

certificates – MITM attack with HSTS implemented websites

I want to perform a Man-in-the-Middle attack against my own network for educational purposes.
I want the following scenario: Perform a MITM attack with Bettercap, navigate to a website and accept the certificate warning,which means accept the certificate presented by Bettercap (the attacker).

Question 1: 

I want to know if this is possible nowadays with HSTS security policy being implemented on websites and HSTS preload list?

Question 2:

Are my only possibilities the websites that don’t have the HSTS implemented or is there a way to remove HSTS and perform the attack by accepting the certificate?

Does HSTS prevent packet capturing in Wireshark

Packet capturing happens at the network level. Since the browser has to send out network packets to fetch a site for you, you can always capture the network packets. HSTS has no impact on this process at all.

What HSTS does is help the browser decide whether or not it MUST use HTTPS instead of HTTP. If the browser decides to use HTTPS then of course the data in the packets will be encrypted, so while you can still capture the packets, you won’t be able to read their contents.

Of course you could get around that locally by using a proxy to intercept all your network traffic, and add its root certificate to your certificate store. As long as the application/website isn’t using public key pinning you will be able to intercept and decrypt the traffic so you can read it. Of course we’re talking about your own browser here so you could have done this just as easily in your browser’s network tab.

Remember though that all of the above is difficult or impossible to do on someone else’s machine, so none of this will help you to extract a token in a GET request from someone else.