hsts on main port 80, not on other ports

hsts

Yes, this is intentional. RFC 6797 states:

     The UA MUST replace the URI scheme with "https" [RFC2818], and

     if the URI contains an explicit port component of "80", then
     the UA MUST convert the port component to be "443", or>>

     if the URI contains an explicit port component that is not
     equal to "80", the port component value MUST be preserved;
     otherwise,

     if the URI does not contain an explicit port component, the UA
     MUST NOT add one.

     NOTE:  These steps ensure that the HSTS Policy applies to HTTP
            over any TCP port of an HSTS Host.

You should run plain HTTP services on a different domain, or even better, use a HTTP+TLS server as a reverse proxy to the internal plain HTTP service.


The Strict-Transport-Security header is ignored by the browser when your site is accessed using HTTP; this is because an attacker may intercept HTTP connections and inject the header or remove it. When your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS capable and will honor the Strict-Transport-Security header.

Related

Windows Storage Spaces - a useful replacement for RAID6?
Workaround for when windows scheduled tasks fails when user changes their password
\Program Files vs. \Program Files (x86) in 64-Bit Windows
How stable is Cherokee Web Server? [closed]
Export data from R to Excel
Calculate weighted average using a pandas/dataframe
Why can't we pass arrays to function by value?
What does "WINAPI" in main function mean?
Setting JVM heap size at runtime
Can HTML5 databases and localStorage be shared across subdomains?
How to calculate mean values grouped on another column in Pandas
How do I avoid implicit conversions on non-constructing functions?