Reputation: 99
I have inserted the following in the .htaccess of my site in order to be admitted to the HSTS preload list:
<ifModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</ifModule>
The problem is that when I submit my site, I obtain:
Warning: Unnecessary HSTS header over HTTP. The HTTP page at http: //fabriziorocca.it sends an HSTS header. This has no effect over HTTP, and should be removed.
At the moment I use the following in the .htaccess in order to switch from http to https:
RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
How can I solve the problem?
Thank you in advance.
Upvotes: 5
Views: 4959
Reputation: 18671
Try with:
<ifModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" "expr=%{HTTPS} == 'on'"
</ifModule>
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Upvotes: 1
Reputation: 717
I added in htaccess works perfectly for me.
RewriteEngine On
RewriteCond %{HTTPS} off
# First rewrite to HTTPS:
# Don't put www. here. If it is already there it will be included, if not
# the subsequent rule will catch it.
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# Now, rewrite any request to the wrong domain to use www.
# [NC] is a case-insensitive match
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# Use HTTP Strict Transport Security to force client to use secure connections only
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" "expr=%{HTTPS} == 'on'"
env=HTTPS not works now.
Upvotes: 1
Reputation: 37
Below your redirect rules add the code:
Header always set Strict-Transport-Security "max-age=31536000;
includeSubDomains; preload" env=HTTPS
Upvotes: 1
Reputation: 237
No...
Error: HTTP redirects to www first
http://domain.fr
(HTTP) should immediately redirect to https://domain.fr
(HTTPS) before adding the www subdomain. Right now, the first redirect is to https://www.domain.fr/
. The extra redirect is required to ensure that any browser which supports HSTS will record the HSTS entry for the top level domain, not just the subdomain.
Upvotes: 0