Adding to HSTS Preload list

I have selected “Always Use HTTPS” and “HTTP Strict Transport Security (HSTS)” options under the “Edge Certificates” section of the SSL/TLS part of the Cloudflare control panel. I have also added a permanent redirect to https under the page rules (www.artifuse.ch/* Forwarding URL (Status Code: 301 - Permanent Redirect, Url: https://artifuse.ch/$1). My site is accessible via https, and all seems to be working fine. Nevertheless, when I try to add my site to the HSTS Preload list (https://hstspreload.org/), I receive the following error: Error: No redirect from HTTP http://artifuse.ch does not redirect to https://artifuse.ch.
Is there anything else that I need to do?

That’s odd, and I see the same message for your domain.

Why are you using a Page Rule instead of the SSL/TLS Edge Certificates for “Always Use HTTPS”? That’s what I’ve always used and haven’t had a problem with the preload list.

I added the page rule, only after I encountered this error, hoping that it might fix the problem (it didn’t help).

If your origin doing something funny?

When I use cURL to your root domain over HTTPS I seem to get into an infinite loop.

% curl -I https://artifuse.ch/
HTTP/2 302
location: /

This might be causing the hstspreload.org validator some issues.

The HSTS Preload check does not like when you change the hostname when doing the redirect to HTTPS. This is unlikely to be an issue for your redirect from http://www.artifuse.ch to https://artifuse.ch/, but would be an issue if you went from http://artifuse.ch to https://www.artifuse.ch/

1 Like

A server side issue was responsible for loop 302 redirects for curl head queries. This has now been fixed, so that curl -IL https://aritfuse.ch returns a single HTTP/2 200 response. Unfortunately, this has not affected the error generated by hstspreload.org in any way.

I think HSTS use a user-agent like this, which gets a 403 from your server

% curl -I https://artifuse.ch/ -H "User-Agent: Go-http-client/2.0"
HTTP/2 403
1 Like

Brilliant - thanks Michael! This was it for me: curl -I https://artifuse.ch/ -H “User-Agent: Go-http-client/2.0”. I had a firewall rule that was blocking a range of User Agents - turning this rule off resolved the problem for me.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.