HSTS Preloading apache 2.4.18


#1

i have "Header always set Strict-Transport-Security “max-age=15552000; includeSubdomains; preload” and although the test shows HSTS support it says no to preloading. any ideas? https://www.ssllabs.com/ssltest/analyze.html?d=dipconsultants.com
thanks


#2

HSTS preloading means that your domain is included in a list shipped by browsers. If you’re on that list, browsers will refuse to connect to your domain through HTTP even if it’s never been visited before by the user. Without preloading, HSTS only starts getting enforced after the first visit (so users would still be vulnerable to SSL stripping attacks during the first visit).

You can request to be added here.


#3

Be very careful about getting on the list. Once you’re on, it’s hard to get removed due to the wide use of it. Only request an add if you are willing to keep SSL running in perpetuity for that domain and all sub-domains.


#4

As @pfg said, you need to submit your site to the preload list at the link provided. I went there to check if you had submitted and it turned out you hadn’t. In checking your site it has now been flagged for submission and will be reviewed. If the preload token is present it will be added to the preload lists and eventually make it out to the browsers. Further to what @motoko said, preloading is pretty much a permanent thing as you aren’t likely to get out of the preload lists. Make sure it’s what you want or remove the preload token.


#5

Is there a public method to check if a specific site has been submitted?


#6

Maybe here:

https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.json


#7

Just type the domain in here: https://hstspreload.appspot.com/


#8

Typing the domain in there has the side effect to submit the domain, if has not been done yet.

It should be safe, as the domain will be discarded if the preload attribute is not set on the HSTS header. However, I felt like it was worth the mention since @Svavar_Kjarrval was asking about a way to check the status specifically. As far as I know, such feature doesn’t exist (there is no way to know if the domain is waiting to be approved vs not submitted).


#9

That doesn’t help me know if my domain has been submitted but not (yet) approved.


#11

It does:



#12

Hmm… didn’t notice anything like that last time I checked.