Always Use HTTPS + HTTP Strict Transport Security (HSTS) = no HSTS for HTTP

I have HTTP requests redirected to HTTPS by Cloudflare, meaning no HTTP requests hit my origin server. That’s fine, expected. However, despite my origin server sending an HSTS header and also enabling HSTS header in Cloudflare as well, when asking for my website on http/80, no HSTS header is sent.

As the request on port 80 is a 301 redirect by Cloudflare to 443, the http response is 100% Cloudflare. So, how do I get CF to send an HSTS header via HTTP before redirecting to 443/HTTPS? Would this be considered a bug?

Thanks

The Strict-Transport-Security response header is only honored by the browser if the request was made over HTTPS. Therefore it does not make sense to return it in the redirect response.

OK thanks, that explains why it is not sent then. Although, it seems counter intuitive to me for a header that defines HTTPS only, only be sent when using HTTPS. If I didnt redirect HTTP to HTTPS and a user were to access my site on HTTP, then the HSTS header would never get sent despite my clicking a box and enabling it via CF.

I’d be interested to know if any browsers do in fact act upon HSTS headers served via HTTP.

It does make sense a bit, as doing it this way will make sure that HSTS is only honored when the browser can verify that the webserver can properly establish an HTTPS connection and does not for example have its SSL misconfigured

1 Like

Yes! Otherwise a middleman can cause denial of service by adding a HSTS header if the server does not support HTTPS.

1 Like

They do not, which is the behaviour specified in the specification:

If an HTTP response is received over insecure transport, the UA MUST ignore any present STS header field(s).

Thanks for the further info.

I guess, some of my confusion comes from the Security Center:

We have made HTTP and HTTPS requests to your hostname to check for the presence of the Strict-Transport-Security header in the response. We have not detected the correct header in the response.

Yet, my origin server is 100% sending an HSTS header with every request, and Cloudflare is sending them to clients.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.