Hi,
Inside admin tools settings, even if this is enabled https://www.screenpresso.com/=hbllf I get this https://www.screenpresso.com/=usQ2b
Any idea why?
Thanks
L.
Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Latest post by toonetcreation on Tuesday, 27 December 2022 06:58 CST
Hi,
Inside admin tools settings, even if this is enabled https://www.screenpresso.com/=hbllf I get this https://www.screenpresso.com/=usQ2b
Any idea why?
Thanks
L.
Please use words to describe your issues. Using pictures bumps your ticket to the bottom of the queue. The issue you should have described is "I have enabled the HSTS feature in the .htaccess Maker on my site, gpce.fr. When I use a third party service to check for the HSTS headers it tells me they are not set".
The problem here is that your site's domain name is www.gpce.fr, not gpce.fr. You have chosen to redirect from the non-www to the www domain.
When you try to access gpce.fr it simply redirects to www.gpce.fr and the redirection does not, of course, have any HSTS headers. Hostname-based redirections have precedence over any other rules. This is deliberate. In most cases you only issue an SSL certificate for a specific domain name and subdomain. Redirections have to happen in plain HTTP mode to avoid browsers displaying a warning about an insecure site.
When you access www.gpce.fr the HSTS header (Strict-Transport-Security) is set correctly.
Solution: test the correct domain name of your site.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Yes sorry, my ticket was too short you're right ;-)
Yes I agree with but in this case, why I get this now https://www.screenpresso.com/=Zbldf ?
I don't think that tool is very well thought out. Please read the reference in MDN https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security and the normative RFC 6797 https://www.rfc-editor.org/rfc/rfc6797#page-13.
It complains that you have a subdomain. This is nonsense. There is no such restriction in RFC 6797. The tool has invented a problem which does not exist.
It complains that you do not include the includeSubDomains directive. Again, this is nonsense. As you can read, you ONLY need to send this directive IF AND ONLY IF you want to enforce HSTS on ALL subdomains under the subdomain which returned the HSTS header. Otherwise you simply do not include this directive and let each subdomain provide its own Strict-Transport-Security header. Including this directive only makes sense for large organisations where each subdomain is managed by a different team and the IT department wants to enforce HSTS to prevent SSL stripping attacks across the entire (and often largely unknown) subdomain tree. Again, the tool is inventing a non-existent problem.
It complains that you do not include a preload directive. This is nonsense, too. The preload directive IS NOT part of the specification. You only need this and the previous directive, along with an expiration over one year, if you want to add your domain to https://hstspreload.org/ so that your domain ends up in the HSTS preload list that ships with browsers. This only makes sense if you have a very well-trafficked site which warrants this kind of inclusion. Once again, the tool is inventing a non-existent problem.
Finally, it complains that there is no redirect from plain HTTP. THIS IS FALSE! When I access http://www.gpce.fr/ I do see a redirection to https://www.gpce.fr (see below, in bold type):
$ wget "http://www.gpce.fr" -O /dev/null --2022-12-23 14:29:10-- http://www.gpce.fr/ Resolving www.gpce.fr (www.gpce.fr)... 109.234.164.82 Connecting to www.gpce.fr (www.gpce.fr)|109.234.164.82|:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: https://www.gpce.fr/ [following] --2022-12-23 14:29:10-- https://www.gpce.fr/ Connecting to www.gpce.fr (www.gpce.fr)|109.234.164.82|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ‘/dev/null’ /dev/null [ <=> ] 30,39K --.-KB/s in 0,07s 2022-12-23 14:29:10 (427 KB/s) - ‘/dev/null’ saved [31119]
Therefore, this tool is misreporting a non-existent problem.
Four out of four issues reported are non-issues. I've seen broken tools, but this one takes the cake.
The most trusted tool for all things TLS–related is SSL Labs by Qualsys. As you can see in the results page for your site (https://www.ssllabs.com/ssltest/analyze.html?d=www.gpce.fr&hideResults=on) it correctly reports: “HTTP Strict Transport Security (HSTS) with long duration deployed on this server”. This tells you that, yes, HSTS is correctly configured on your site.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Ok thanks for the clarification I agree with you.
Thanks again for your opinion.
Have a nice day
Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.
Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!