Duplicate HSTS header
669 views
Skip to first unread message
Nummer378
Jan 8, 2020, 11:16:17 AM1/8/20
to crt.sh
New servers look great, congrats!
Just had a quick look at it and noted that Qualys SSLLabs flagged your service as "Server sent invalid HSTS policy - Server provided more than one HSTS header"
Inspection with curl shows that you're sending two HSTS headers (+ Expect-CT):
< Strict-Transport-Security: max-age=15768000; includeSubDomains; preload
< Expect-CT: preload
Just had a quick look at it and noted that Qualys SSLLabs flagged your service as "Server sent invalid HSTS policy - Server provided more than one HSTS header"
Inspection with curl shows that you're sending two HSTS headers (+ Expect-CT):
< Strict-Transport-Security: max-age=15768000; includeSubDomains; preload
< Expect-CT: preload
< Strict-Transport-Security: max-age=15768000
The first one seems to be the one that is intended.
Rob Stradling
Jan 14, 2020, 7:49:23 AM1/14/20
to crt.sh
Thanks for reporting this. It's been fixed.
The first HSTS header is sent by the httpd server. Our ops team just told me that the second HSTS header was being blindly added by the front-end load balancers.
Reply all
Reply to author
Forward
0 new messages