HSTS Preload Submission

Question

I want to pass all tests for HSTS Preload.

I currently have 2 errors, that I need to solve:

First:

`http://example.com` (HTTP) should immediately redirect to
`https://example.com` (HTTPS) before adding the www subdomain. 
Right now, the first redirect is to `https://www.example.com/`.

My htaccess looks like this:

RewriteEngine On
RewriteCond %{HTTP_HOST} ^example.com$ [NC]
RewriteRule ^(.*)$ https://example.com/$1 [R=301,L]
RewriteRule ^(.*)$ https://%{HTTP_HOST}/ [R=302,L]

Second:

Response error: No HSTS header is present on the response.

My htaccess looks like this:

<ifModule mod_headers.c>
    Header add Strict-Transport-Security "max-age=84600; includeSubDomains"
</IfModule>

What am I missing and how can I pass the tests?

I use this test site; https://hstspreload.appspot.com/

Answer 1

You can try this to pass the test.

RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L,E=HTTPS:1]
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS

Answer 2

This is the correct one:

RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

<ifModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"   
</ifModule>