I was asked by our compliance team at work to add 'includeSubDomains' to the Strict-Transport-Security header for our site. So I added the entry below (top one) to our .NET site's web config. But when I did that, I see another Strict-Transport-Security entry (2nd one below) with only the max-age and a bigger value. Strict-Transport-Security: max-age=31536000; includeSubDomains Strict-Transport-Security: max-age=157680000 My questions are: Which one would the browsers obey? (I'm hoping the one with the includeSubDomains) Is there a way to remove the second one and how is it set? My site is hosted in IIS 10 and I checked in the HTTP headers configuration and don't see where the 2nd one is set, only the top one is set there. I googled around for dup headers to see what they say about this but can't find anything on my particular situation or how to remove it.

Reputation: 61

Duplicate Strict-Transport-Security in web site

I was asked by our compliance team at work to add 'includeSubDomains' to the Strict-Transport-Security header for our site. So I added the entry below (top one) to our .NET site's web config. But when I did that, I see another Strict-Transport-Security entry (2nd one below) with only the max-age and a bigger value.

Strict-Transport-Security:
max-age=31536000; includeSubDomains

Strict-Transport-Security:
max-age=157680000

My questions are:

Which one would the browsers obey? (I'm hoping the one with the includeSubDomains)
Is there a way to remove the second one and how is it set? My site is hosted in IIS 10 and I checked in the HTTP headers configuration and don't see where the 2nd one is set, only the top one is set there.

I googled around for dup headers to see what they say about this but can't find anything on my particular situation or how to remove it.

Upvotes: 2

Answers (2)

Nux

Reputation: 10002

Not tested on IIS but you should be able to remove the header and add a new one:

<configuration>
   <system.webServer>
      <httpProtocol>
         <customHeaders>
            <remove name="Strict-Transport-Security" />
            <add name="Strict-Transport-Security" value="max-age=15768000" />
         </customHeaders>
      </httpProtocol>
   </system.webServer>
</configuration>

Same thing for Apache HTTPD (tested, works when Apache serves as a proxy).

<VirtualHost *:443>
...
    # Setup HSTS
    # (remove first as only one HSTS is allowed)
    Header unset Strict-Transport-Security
    Header add Strict-Transport-Security "max-age=15768000"
...
</VirtualHost>

Upvotes: 0

YurongDai

Reputation: 2375

According to RFC 6797, 8.1, the browser must only process the first header:

If a UA receives more than one STS header field in an HTTP response message over secure transport, then the UA MUST process only the first such header field.

The second header may be set at a different level. In IIS Manager, check whether the "HTTP Response Headers" module is configured at the server level.

If it's not in the IIS configuration, it could be added by some middleware, custom code, or security software. Check your application's code for any explicit headers being set.

Once you identify where the second header is coming from, you can modify the configuration or code to remove it or adjust its settings.

Upvotes: 0

Duplicate Strict-Transport-Security in web site

Answers (2)

Related Questions