🌐 HTTP Strict Transport Security (HSTS)

by Dmytro Litvinov

Share

In ongoing project our SEO-team asked about investigating redirect from http links to https with status code 307. They asked to investigate it.

So what I did is check via Chrome to confirm that status is 307 - confirmedβœ…
Then checked via curl:


HTTP/1.1 308 Permanent Redirect
Date: Fri, 29 Sep 2023 07:18:39 GMT
Content-Type: text/html
Connection: keep-alive
Location: https://www.myawesomewebsite.com/
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v3?s=P6yg%2BjejmGcvOb%2F3362PZw77jJcgK7iN9YBGi6Vk%2F%2FBFINno9PtWIrCnUgEh2%2FmK5pJCJ764%2BsSnldGXqHMd8zLzxrzweMuzYtJMlEG5uZPXsF1oDO9cNT9cIFbNzg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 80e274134b985b99-VIE

308 status when it should be 307 πŸ€”

Then checked more carefully at DevTools et voila πŸŽ‰:

Cross-Origin-Resource-Policy: Cross-Origin
Location: https://www.myawesomewebsite.com/
Non-Authoritative-Reason: HSTS

So what Today I Learned:

HSTS header does automatic redirect on client-side from HTTP-> HTTPS (secure) connection protecting websites against man-in-the-middle attacks and cookie hijacking.

Example of how it can be set:
Strict-Transport-Security : max-age=3600 ; includeSubDomains; preload

Helpful links:
https://stackoverflow.com/a/28595295
https://developers.cloudflare.com/ssl/edge-certificates/additional-options/http-strict-transport-security/