HSTS preload & includeSubDomains directives dissapeared

Hi,

I configured HSTS about 8 months ago for the domain netletic.com. I then had the domain added to the Chrome HSTS Preload list and all was well. Today I noticed the domain is pending removal from the Preload list, because the preload & includeSubDomains directives aren’t present. curl confirms:

curl --silent --head https://netletic.com | grep -i 'strict-transport-security'
strict-transport-security: max-age=63072000

But I do have those directives enabled. I tried to deactivate/reactivate them about 3 hours ago, but that didn’t change anything.

It seems as if the settings I apply in the SSL/TLS section don’t affect the running config anymore. I only had TLSv1.2 and TLSv1.3 enabled, I just added TLSv1.1 as a test:

But both the output from Nmap and openssl confirm TLSv1.1 isn’t supported.

$ openssl s_client -connect netletic.com:443 -tls1_1
$ nmap --script=ssl-enum-ciphers -p T:443 netletic.com

See https://pastebin.com/EjM5s4D7 for the output of the commands.

It’s as if the domain’s settings are managed elsewhere now. But netletic.com still show as Proxied by Cloudflare for in the DNS settings:

And the NS records still point to Cloudflare:

$ dig NS netletic.com +short
bayan.ns.cloudflare.com.
tegan.ns.cloudflare.com.

I’m a bit stumped. If anyone has any idea I’d be delighted, cheers!

If you’ve done anything to block the hsts preload bot from periodically verifying your site headers, your site will get dropped from the list. Certain bot fight modes and firewall rules can cause this.

Have you tried re-submitting it?

2 Likes

Hey sdayman, thanks for having a look at this.

I’d like to re-submit the domain to the Chrome preload list, but I don’t think I can while the includeSubDomains and preload directives are missing.

I suspect the root cause is related to the fact that any changes I make to the Cloudflare TLS/SSL settings aren’t getting applied. I don’t have (and haven’t had) any firewall rules or bot fight mode enabled.

For example, I changed the Minimum TLS Version to TLS 1.0 ~2 days ago–it was >= TLS 1.2 before–and it’s still >= TLS 1.2 only today:

Cloudflare setting:

Actual accepted TLS versions, TLS 1.1 still not included after ~2 days:

The minimum TLS version is not relevant to HSTS preload.

I see you are using WPEngine for your site. Are you using their Cloudflare integration, which I think they call Global Edge Security. If you are, then their account settings will apply to that hostname, and not your account settings. To get them to add HSTS you need to open a support ticket.

2 Likes

Thanks Michael, I think you’re on the money.

Indeed, the minimum TLS version isn’t relevant to HSTS, I mentioned it because it proves that it’s not my account settings getting applied to my hostname anymore.

I am using WPEngine, but I’m not using their Cloudflare integration–the free version is called Advanced Network. My CNAME for netletic.com still points to the old Basic Network WPEngine domain. But even though that’s the case, it seems some kind of partial integration is already happening, hence why WPEngine’s settings are getting applied to my hostname.

I’ll open a ticket with them and see. I could either get the integration removed or switch over completely and ask them to activate HSTS preload + subDomains for my hostname.

Thanks again for having a look at this.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.