3

In a dev environment I have the problem that my browser (Yandex) redirects (307) an OPTIONS request to the https version of the URL. As we don't have SSL set up the request then fails with the error Response for preflight is invalid (redirect).

Leukipp
  • 550
  • 2
  • 9
  • 25

2 Answers2

3

I resolved this issue by configuring the the HSTS header as follows:

@Configuration
@EnableWebSecurity
public class SecurityConfigurer extends WebSecurityConfigurerAdapter {
    ...
    @Override
    protected void configure(HttpSecurity http) throws Exception {
    ...
          http.headers().httpStrictTransportSecurity()
              .maxAgeInSeconds(0)
              .includeSubDomains(true);
    }
}

Disabling HSTS did not work for me.

Leukipp
  • 550
  • 2
  • 9
  • 25
  • 1
    This works for me, but `http.headers().httpStrictTransportSecurity().disable()` did also work for me. I'm using Spring Boot 2.0.1.RELEASE and verified the HSTS header wasn't sent using Chrome 66 DevTools. – sigint Apr 29 '18 at 15:24
3

If you don’t have HTTPS set up then the HSTS value should never be read - browsers must ignore HSTS sent over an unencrypted HTTP connection.

If you once did have HTTPS but now no longer do (or if you have HTTPS on some of your domains/pages), then your browser may have cached the HSTS setting for whatever max-age value was set when the browser last read the header. You would need to clear this in your browser. How to do this varies from browser to browser, but one of the easier ways that works in all browsers is to publish a new HSTS header with a max-age of 0 like you have done and then visit a page over HTTPS (not over unencrypted HTTP). This obviously requires you to have a HTTPS setup which you say you do not have? After all your browsers all have got the new setting for all affected domains, you can then stop publishing that HSTS header completely.

Skipping the reset step and just turning off the header when the browser has a previous version cached will not work - at least until the browser’s cached version expires after the max-age time.

Barry Pollard
  • 40,655
  • 7
  • 76
  • 92
  • Thanks for confirming what I thought -- somehow my browser must have received the HSTS header. In Chrome it helped to delete the cache but in Yandex I couldn't find a way to do the same. Deleting the sub domain on chrome://net-internals/#hsts did not work for me. Does a browser cache this setting per sub domain? – Leukipp Mar 11 '18 at 18:55
  • It caches it per domain. You can add the includesubdomain attribute and if you visits that top level domain and therefore gets that policy, then it will apply for all subdomains. It’s still only stored at the top level domain in that example though and the browser checks the full domain (sub.sub.example.com) and then every upper level domain for the first matching policy in the cache (e.g. sub.example.com and then example.com in this example). Note the policy is only loaded if the customer visits one of those domains (the browser does not proactively visit them to see if a HSTS policy exists). – Barry Pollard Mar 11 '18 at 19:23