Warning: Unnecessary HSTS header over HTTP

we would like to add the HSTS header to our page https://www.wipfelglueck.de Our page is running on a shared server, so we don’t have access to the httpd.conf. We tried to enable this header via the .htaccess file like this:

<ifmodule mod_headers.c>   DefaultLanguage de   Header set X-XSS-Protection "1; mode=block"   Header set X-Frame-Options "sameorigin"   Header set X-Content-Type-Options "nosniff"      Header set X-Permitted-Cross-Domain-Policies "none"      Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"      Header set Referrer-Policy: no-referrer      <FilesMatch "\.(js|css|xml|gz)$">      Header append Vary Accept-Encoding    </FilesMatch>        <filesMatch ".(ico|jpg|jpeg|png|gif|webp)$">    Header set Cache-Control "max-age=2592000, public"   </filesMatch>   <filesMatch ".(css|js|json|html)$">    Header set Cache-Control "max-age=604800, public"   </filesMatch> </IfModule> 

When we check the page we receive the warning in subject with this text: "The HTTP page at http://wipfelglueck.de sends an HSTS header. This has no effect over HTTP, and should be removed."

I tried some ways to solve this, but was not successful so far. In the web I can’t find a solution, so I would be happy if you could give me a hint on this!

Thank you very much!!

Download script fix [LINK]
Download script fix [LINK 2]
Download script fix [LINK 2]
Vice Professor Asked on October 26, 2020 in centos.
Add Comment
1 Answer(s)

You can conditionally set headers using env=

Header always set Strict-Transport-Security "..." env=HTTPS 

(you can use both always and env= simultaneously, the former only filters by response status)

That being said, do not optimize for benchmarks or compliance checkmarks. This header does not do anything, caring about it just takes away attention from things that do have effects. This header simply has no effect when not sent via secured transports – but as these days, (almost) all plaintext requests should just redirect to https://, this is true for (almost) any response header in http://.

Download the fix file
Vice Professor Answered on October 26, 2020.
Add Comment

Your Answer

By posting your answer, you agree to the privacy policy and terms of service.