HSTS not working with Chrome

ssl apache-http-server tls hsts

I have configured Apache to return HSTS header. When connecting to https://lab20.example.com from Google Chrome and running with developer tools I can see the following response header: Strict-Transport-Security:max-age=63072000; includeSubdomains;

But it does not work. When I try to access the http://lab20.example.com, Chrome allows that.

Also when running from chrome: chrome://net-internals/#hsts Query domain "lab20.example.com" I receive "Response Not found".

Could anyone explain why this happens?


For others who are seeing a similar issue - it may be because your browser has not yet accessed the site over HTTPS. Try accessing it over HTTPS and then again over HTTP. If HSTS is correctly implemented, then that last request should fail. MDN explains it nicely:

Note: The Strict-Transport-Security header is ignored by the browser when your site is accessed using HTTP; this is because an attacker may intercept HTTP connections and inject the header or remove it. When your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS capable and will honor the Strict-Transport-Security header.

Related

Is it possible to move all figure captions from above to below in MS Word?
Is there a way to make form letter variants in MSWord without VBA?
How to avoid receiving .NET 4+ through Windows Update?
How to move files from subdirectories that have the same directory name to its relative upper/parent directory?
Lubuntu 18.10 File Manager: How to view directory tree structure?
Lower the Python3 version
20.04 HDMI Audio Option Disappears Upon Locking Screen
How can I create desktop entry for an AppImage?
Head with a weird behavior
How do I remove an application? [duplicate]
Is there a WINE version of Flash as a plugin to Firefox or Chrome?
How to resolve 'gdk-pixbuf/gdk-pixbuf.h: No such file or directory'