5

I have inserted the following in the .htaccess of my site in order to be admitted to the HSTS preload list:

<ifModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"   
</ifModule>

The problem is that when I submit my site, I obtain:

Warning: Unnecessary HSTS header over HTTP. The HTTP page at http: //fabriziorocca.it sends an HSTS header. This has no effect over HTTP, and should be removed.

At the moment I use the following in the .htaccess in order to switch from http to https:

RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

How can I solve the problem?

Thank you in advance.

fabrizio.rocca
  • 99
  • 1
  • 2
  • 11
  • 3
    Possible duplicate of [How to set HSTS header from .htaccess only on HTTPS](http://stackoverflow.com/questions/24144552/how-to-set-hsts-header-from-htaccess-only-on-https) – Tom Jul 07 '16 at 10:47

4 Answers4

1

Try with:

<ifModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" "expr=%{HTTPS} == 'on'"
</ifModule>

RewriteCond %{HTTP_HOST} !^www\.
RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Florian
  • 2,562
  • 5
  • 25
  • 35
Croises
  • 18,570
  • 4
  • 30
  • 47
  • 1
    This line worked for me `Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" "expr=%{HTTPS} == 'on'"` it required the single quotes on the 'on' note: do not remove the keyword `always` – pedrotester Dec 22 '19 at 21:44
1

Below your redirect rules add the code:

Header always set Strict-Transport-Security "max-age=31536000; 
includeSubDomains; preload" env=HTTPS
johnnyRose
  • 7,310
  • 17
  • 40
  • 61
Mahadev Majaladar
  • 39
  • 1
  • 2
  • 10
1

I added in htaccess works perfectly for me.

RewriteEngine On
RewriteCond %{HTTPS} off
# First rewrite to HTTPS:
# Don't put www. here. If it is already there it will be included, if not
# the subsequent rule will catch it.
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# Now, rewrite any request to the wrong domain to use www.
# [NC] is a case-insensitive match
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]


# Use HTTP Strict Transport Security to force client to use secure connections only
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" "expr=%{HTTPS} == 'on'"

env=HTTPS not works now.

Jahirul Islam Mamun
  • 659
  • 8
  • 11
0

No... Error: HTTP redirects to www first http://domain.fr (HTTP) should immediately redirect to https://domain.fr (HTTPS) before adding the www subdomain. Right now, the first redirect is to https://www.domain.fr/. The extra redirect is required to ensure that any browser which supports HSTS will record the HSTS entry for the top level domain, not just the subdomain.

Eolia
  • 227
  • 2
  • 4