Hi,
I'd like to add a site to https://hstspreload.org/ and it succeeds when I don't have Admin Tools installed.
In core Joomla HTTP addons. I am using Admin Tools how can I add a page and what settings should I use?
#39241 Add website https://hstspreload.org
Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket
Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Environment Information
Joomla! version
4.3.3
PHP version
8.0
Admin Tools version
7.34
Latest post by nicholas on Tuesday, 25 July 2023 03:07 CDT
Friday, 21 July 2023 06:56 CDT
Grzesiek388
Friday, 21 July 2023 08:41 CDT
nicholas
Akeeba Staff
Manager
As long as you are using the .htaccess Maker and have enabled the HSTS option in it you're set. That's what we've done with this site here.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Friday, 21 July 2023 08:58 CDT
Grzesiek388
Thanks for your reply, yes I have HSTS Header (for HTTPS-only sites) enabled - YES.
I do not know if I understand correctly? Should I ignore adding a page to https://hstspreload.org?
Because I get messages:
Error: No includeSubDomains directiveThe header must contain the `includeSubDomains` directive.
Error: No preload directive The header must contain the `preload` directive.
Friday, 21 July 2023 11:45 CDT
nicholas
Akeeba Staff
Manager
Normally, you should be able to ignore that.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Friday, 21 July 2023 12:02 CDT
Grzesiek388
Thank you:)
very much for help. I have one last question: what if the client has already configured the Joomla HTTP plugin and added https://hstspreload.org
now wants to install your extension, what in this situation? Should I leave the HSTS option disabled? And what else should be disabled?
Thank you for your help.
Friday, 21 July 2023 15:16 CDT
Grzesiek388
I have the last question:)
I check the website https://securityheaders.com/?q=packover.pl&followRedirects=on
and HSTS enabled highlights Strict Transport Security :)
Whereas in red there are still content-security-policy and permissions-policy
How can I change it to be green?
Tuesday, 25 July 2023 03:07 CDT
nicholas
Akeeba Staff
Manager
Please refer to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
There are two things to consider here.
- includeSubDomains must ONLY be used if ALL subdomains will also have HSTS enabled, i.e. all subdomains can only ever be accessed over HTTPS. Before you use that keep in mind that this will also affect the subdomains created by your web hosting control panel for non-site features such as calendar and contacts synchronisation.
- preload is NOT part of the specification.
If you really want to do that for your site, enable HSTS in the .htaccess Maker and use the following custom code in the .htaccess Maker to be placed at the bottom of the file:
Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains; preload”
The combined effect is that the custom code runs last, therefore it overrides the simpler HSTS header (without includeSubDomains and preload) that the .htaccess Maker generates.
If you are going to be using a CDN, such as CloudFlare, let the CDN manage HSTS instead.
We are going to add controls for these two HSTS features in a future version of Admin Tools.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!