Weird http -> https redirection although not configured

Strict-Transport-Security - includeSubdomains

The problem is the scope of the HSTS header, it includes all subdomains. If accessing http://demo.xml-director.info with a browser first it'll work fine.

However, upon first access to https://xml-director.info/ or https://www.xml-director.info the browser will receive a HSTS header for all subdomains set to expire way in the future (in two years...?) and therefore will not attempt to connect to any (sub)domain over http again until the header expires.

Incidentally, this header has no effect on cli tools such as wget and curl.

Don't include subdomains

If there are any subdomains that should be accessed over http - do not use includeSubdomains. Instead, if you want to use the HSTS header, restrict it to the accessed domain only (which is the default behavior):

<VirtualHost *:443>
    ServerName www.xml-director.info
    ServerAlias xml-director.info

    Header always set Strict-Transport-Security "max-age=63072000"

Fixing unwanted HSTS headers

A browser which has received a HSTS header has no means of clearing it itself, it will always attempt to access the domain over https, which if there is no response means it's stuck in limbo.

To correct the current situation of existing browsers (assuming it's not a "just me" problem) it's necessary to expire the HSTS header over a https connection. i.e.:

<VirtualHost *:443>
    ServerName *.xml-director.info

    Header always set Strict-Transport-Security "max-age=0"
    RewriteRule ^ http://%{HTTP_HOST}%{REQUEST_URI}

Or equivalent. In this way the HSTS header is cleared, and http access is restored.

Weird http -> https redirection although not configured

Strict-Transport-Security - includeSubdomains

Don't include subdomains

Fixing unwanted HSTS headers

Related

Recent Posts