hsts

Local virtual hosts show Privacy Error on Chrome due to HSTS

风流意气都作罢 提交于 2019-12-24 05:24:07
问题 I have created several virtual hosts for my development processes. They were working just fine till yesterday. But in my chrome app, today they stopped working. Chrome shows: NET::ERR_CERT_AUTHORITY_INVALID All my vhosts end with .dev . I changed one .dev to .work and its again working. But I can not do this for all vhosts as there are too many of them. What do I do? PS : They are working fine in firefox. The error remains same in chrome incognito mode. I tried clearing cache and hard reload,

How to disable HSTS header with HTTP?

杀马特。学长 韩版系。学妹 提交于 2019-12-23 12:24:33
问题 I have inserted the following in the .htaccess of my site in order to be admitted to the HSTS preload list: <ifModule mod_headers.c> Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" </ifModule> The problem is that when I submit my site, I obtain: Warning: Unnecessary HSTS header over HTTP. The HTTP page at http: //fabriziorocca.it sends an HSTS header. This has no effect over HTTP, and should be removed. At the moment I use the following in the

Add HSTS feature to Tomcat

大憨熊 提交于 2019-12-20 10:05:14
问题 Trust you all well. My web application run on tomcat 6.0.43 and do not use apache or nginx at front. I'm already enforce my web from http redirect to https using: URL Redirect at ../webapps/ROOT/index.jsp <% response.sendRedirect("https://www.epi.com.my/portal/"); %> ../webapps/myapp/WEB-INF/web.xml <security-constraint> <web-resource-collection> <web-resource-name>Protected Context</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport

How to permanently exclude localhost from HSTS list in Google Chrome

为君一笑 提交于 2019-12-18 03:04:46
问题 This is a followup question to Google Chrome redirecting localhost to https. Does anyone know, how to permanently exclude localhost from HSTS list in Google Chrome? Or, any other elegant solution that wouldn't require developer to visit chrome://net-internals/#hsts and delete localhost every time when switching from working on an HTTPS project to a different project on HTTP? 回答1: Update: You can install a proper SSL certificate for those domains if you want to for free, so you won't need to

How to disable HTTP Strict Transport Security?

生来就可爱ヽ(ⅴ<●) 提交于 2019-12-17 15:28:38
问题 I had a Rails application with config.force_ssl = true , but now I dont want SSL encryption, but my app is still redirecting to https. I read this is a HTTP Strict Transport Security problem on Apache. How can I disable it? 回答1: It's not a problem with Apache, but with the fact that Rails sends an HSTS header. In Chrome, you can clear the HSTS state by going into about:net-internals , as described in ImperialViolet: HSTS UI in Chrome. You may also have to clear the cache, since config.force

ttf and woff files are not using the HSTS

喜你入骨 提交于 2019-12-13 07:57:16
问题 In my project, HSTS is enabled. So if someone is tryig to use the site using the HTTP then it redirects to HTTPS. After the Security scan, it is reported that ttf, woff and woff2 files are ignoring the HSTS. Example 1: On Google Crome if i am trying below URL then it redirects to HTTPS: http://example.com/backend/web/lib/roboto/Roboto-Light.woff2 then it redirects to https://example.com/backend/web/lib/roboto/Roboto-Light.woff2 If i try same thing on Firefox then it just downloads the Roboto

Spring boot: Do not send HSTS header

末鹿安然 提交于 2019-12-12 09:17:24
问题 In a dev environment I have the problem that my browser (Yandex) redirects (307) an OPTIONS request to the https version of the URL. As we don't have SSL set up the request then fails with the error Response for preflight is invalid (redirect) . 回答1: I resolved this issue by configuring the the HSTS header as follows: @Configuration @EnableWebSecurity public class SecurityConfigurer extends WebSecurityConfigurerAdapter { ... @Override protected void configure(HttpSecurity http) throws

Adding HSTS http headers on domain root during redirect to www subdomain in web.config

一个人想着一个人 提交于 2019-12-12 05:19:52
问题 I have an asp.net web application which is indexed by the search engines on the sub-domain "www". I don't really want to change that: requests to the root domain are all set up with a permanent redirect to the www version and that's all fine. I've enabled HSTS on the site, but the HSTS outbound header rule which I've added is never hit on the first request to the root of the domain because of the redirect. (It works fine for subsequent https requests, because there's no redirect). This is a

Deleting Chrome HSTS for facebook.com not working

让人想犯罪 __ 提交于 2019-12-12 04:14:54
问题 I am currently doing some debugging on my website which involves calling the facebook API. I've installed dnsmasq to work with my mac os X to redirect all request to facebook.com to 127.0.0.1 I have a echo server which will print out all the raw http request header on port 80 on my laptop. Now comes my problem. When I access facebook.com, I realize chrome will automatically forward http:// to https:// for facebook.com I googled and found the way of deleting this HSTS issue. I visit chrome:/

Why does RFC 6797 forbid sending of the Strict-Transport-Security header over plain HTTP responses?

限于喜欢 提交于 2019-12-11 02:00:26
问题 When reading the spec for HSTS (Strict-Transport-Security), I see an injunction in section 7.2 against sending the header when accessed over http instead of https: An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport. Why is this? What are the risks if this is violated? 回答1: The danger is to the availability of the website itself. If the website is able to respond (either now or in the future) over HTTP but not over HTTPS, it will semi