HSTS Redirect fails on a security scan

Hello All

We are loving certify the web and all the initiatives around lets encrypt.

We have an anoying customer we work with who engages with a “security audit company”. They use some automated tool to generate hundreds of lines of “issues” with our sites. This one came up today and I am not sure how to handle.

{domain}.com.au - Website Does Not Implement HSTS Best Practices

Every web application (and any URLs traversed to arrive at the website via redirects) should set the HSTS header to remain in effect for at least 12 months (31536000 seconds). It is also recommended to set the ‘includeSubDomains’ directive so that requests to subdomains are also automatically upgraded to HTTPS.
An acceptable HSTS header would declare:
Strict-Transport-Security: max-age=31536000; includeSubDomains;

I wrote this as an answer but I am not sure if their “security” consultants will accept the answer.

We recommend and use “Lets Encrypt” which is on a rolling 30 day renewal. Enabling a 12 month SLS is not supported in lets encrypt. We also set for all sub domains.

Thanks in advance for any advice.

Best Wishes
David

Hi David,

So your certificate is only part of the puzzle for this sort of thing. HSTS is a thing called “Strict Transport Security” and it’s more to do with how your website/webserver is configured rather than your certificate (or your https binding). What it does is tell visiting browsers that you’re always going to have https enabled so don’t bother trying http again, just use https (for this many seconds…).

So your answer wouldn’t really cover it, you could optionally just implement the change if all your sites are https anyway. The best method depends on your version of IIS but I’d imagine Option 2 in this article is about right: IIS 10.0 Version 1709 HTTP Strict Transport Security (HSTS) Support | Microsoft Docs - you are effectively adding an http header to you websites and also automatically redirecting http to https (which you may already be doing anyway).

Thanks webprofusion

From your response we found some articles and we can enable from plesk which we have now done.

For some reason once we enabled, the site stopped working. We then disable and it was fine. So I used this checker https://gf.dev/hsts-test

And it shows as enabled. We dont use the plesk auto renew of lets encrypt as it is not reliable. Certifytheweb works much better but this means Plesk says “not secured”

Some conflict I guess and maybe that is why we needed to enable HSTS and then disable.

Regards
David

Ah yes, sorry I can’t help with Plesk much. Based on this conversation I’ve added some suggested best practices to our docs as that may be helpful for others: Best Practices | Certify The Web Docs