0

We are using a self-signed certificate in our application & want to use HSTS header for added security. We access our application using ip or hostname. I found that for HSTS to work,
- no certificate errors must be there (installed self-signed certificate in browser)
- access with hostname
- at least once our application needs to be accessed using https before HSTS starts working.

On doing this, I was able to make HSTS work in chrome (saw 307 response when accessed with http). But HSTS is not working with IE. I am getting 301 redirect (we have configured a reverse proxy which will redirect http to https). I want to make redirection work due to HSTS. any idea what i am missing!

  • Do you see the header in the response? – IllusiveBrian Aug 28 '18 at 13:46
  • yes. the header is there in response. –  Aug 28 '18 at 13:54
  • @AbhishekSharmaM: What's the test result from https://tools.geekflare.com/tools/hsts-test and the methods in this blog https://www.namecheap.com/support/knowledgebase/article.aspx/9711//how-to-check-if-hsts-is-enabled ? – StackzOfZtuff Aug 28 '18 at 14:00
  • I get "unable to resolve domain name" error as the url we are using is not public. –  Aug 28 '18 at 14:21
  • Can I check somewhere in internet explorer if my domain is actually being saved in HSTS list for which redirection will occur? –  Aug 28 '18 at 15:00

0 Answers0