Solved

Setting strict transport security header in header not working

Posted on 2016-10-05
1
141 Views
Last Modified: 2016-10-14
Hi,
I am setting the following header in response of my spring web application :
         response.setHeader("Strict-Transport-Security","max-age=31536000");


I load my web application using https://localhost:4430/notes
4430 is the https port i have specified for my embedded jetty server...

I also see this header when my application page is loaded...
Now when i remove the s from this url i was expecting that it would auto hit https url But instead the url was aborted by the firefox browser :
All i see in the net panel is :
Screen-Shot-2016-10-05-at-7.06.50-PM.png
These are the response headers when the url is loaded with https://
Screen-Shot-2016-10-05-at-7.10.14-PM.pngWhat could be the reason for this ?

Thanks
0
Comment
Question by:Rohit Bajaj
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 62

Accepted Solution

by:
gheist earned 500 total points
ID: 41833068
HSTS work only with standard ports -i.e poison browser to redirect :80 to :443
It has no effect on other ports.
Dont you think it is better to use HSTS in web server? As part of maintaining it respective operator might want to disable SSL in future for example and to do so they have to cleat HSTS headers...
0

Featured Post

Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
This tutorial covers a practical example of lazy loading technique and early loading technique in a Singleton Design Pattern.
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to selectively show certain fields based on user input using rules to gather relevant information and data from your forms. The rules feature provides you with an opportunity…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question