0

I have a local server serving HTTPS using a self-signed certificate. It does not serve http. The certificate is issued with cn=host1.subdomain1.domain1. The server is reachable under name host2, too. If I open https://host2 I get warnings, but I can define an exception for the certificate and can access the servers content. The server does not and did never return an HSTS header. If I access the server via https://host1.subdomain1.domain1, Firefox gives a HSTS warning and doesn't allow an exception. It is possible that servers at domain1 or subdomain1.domain1 delivered HSTS headers. Possibly they applied to sub-domains, too.

But: Even after clearing history and about:permissions entries, the behaviour is the same. So, where does the HSTS information come from?

Improve this question

1 Answer 1

Reset to default
1

The HSTS header can instruct the browser to include subdomains by using includeSubDomains. Browsers may also contain a preloaded list of domains which use HSTS.

  • A site can use the following to specify HSTS with six-month duration and including subdomains:

    Strict-Transport-Security: max-age=15768000; includeSubDomains

  • The effect of doing this is exactly as described in your question. The key here is the includeSubDomains at the end of the header line.

  • Note that current versions of most major browsers maintain a internal list of websites which are known to use HSTS and can therefore demand HTTPS connectivity even when connecting to a particular domain for the first time. See also: OWASP on HTTPS Strict Transport Security.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .