Warning: Unnecessary HSTS header over HTTP
we would like to add the HSTS header to our page https://www.wipfelglueck.de Our page is running on a shared server, so we don’t have access to the httpd.conf. We tried to enable this header via the .htaccess file like this:
<ifmodule mod_headers.c> DefaultLanguage de Header set X-XSS-Protection "1; mode=block" Header set X-Frame-Options "sameorigin" Header set X-Content-Type-Options "nosniff" Header set X-Permitted-Cross-Domain-Policies "none" Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" Header set Referrer-Policy: no-referrer <FilesMatch "\.(js|css|xml|gz)$"> Header append Vary Accept-Encoding </FilesMatch> <filesMatch ".(ico|jpg|jpeg|png|gif|webp)$"> Header set Cache-Control "max-age=2592000, public" </filesMatch> <filesMatch ".(css|js|json|html)$"> Header set Cache-Control "max-age=604800, public" </filesMatch> </IfModule>
When we check the page we receive the warning in subject with this text: "The HTTP page at http://wipfelglueck.de sends an HSTS header. This has no effect over HTTP, and should be removed."
I tried some ways to solve this, but was not successful so far. In the web I can’t find a solution, so I would be happy if you could give me a hint on this!
Thank you very much!!
You can conditionally set headers using
Header always set Strict-Transport-Security "..." env=HTTPS
(you can use both
env= simultaneously, the former only filters by response status)
That being said, do not optimize for benchmarks or compliance checkmarks. This header does not do anything, caring about it just takes away attention from things that do have effects. This header simply has no effect when not sent via secured transports – but as these days, (almost) all plaintext requests should just redirect to
https://, this is true for (almost) any response header in