what to do next after enabling HSTS?

Heya! I’ve enabled HSTS (1 year, with all toggles enabled). Than I’ve tried to add my website to a preload list on hstsprelod org, but I do get “error: No HSTS header”. Where do I add this header? I have a static website built with Astro. ✨🫶
20 Replies
Chaika
Chaika10mo ago
If you enabled it, it should do the header for you. Is your site proxied in Cloudflare?
TWEL
TWELOP10mo ago
Good question, I do not know. Let me check. (I’ve just registered the domain through CF, does it mean I am using CF?)
Chaika
Chaika10mo ago
It means you are using Cloudflare least for DNS. If you go to DNS -> Records, if the record is Proxied it's going through Cf's CDN and the HSTS header should be applied according to that setting. Alternatively, what's your website url? Easy to see externally if proxied or not
TWEL
TWELOP10mo ago
Sure, I’ll drop it in dm, if you do not mind
TWEL
TWELOP10mo ago
Yep, the website is proxied in CF. Also, the HSTS setting is still kinda inactive, it supposed to? (I am positive that I went through all the settings, it even states that I’ve changed the setting)
No description
Chaika
Chaika10mo ago
Yea I can see it's proxied, and no strict-transport-security header Try again? Does it give you an error when you try to save it?
Chaika
Chaika10mo ago
this is what it should look like
No description
TWEL
TWELOP10mo ago
Lemme check real quick It seems like nothing happens if I go through acknowledge>configure and click save. It just returns me on the previous screen (also the loading circle spins for a second in the background near the “enable hsts” button. But nothing happens. I bought domain like 2 hours ago if that’s important
Chaika
Chaika10mo ago
are you just going through and clicking acknowledge -> configure and then save, and not touching any of the sliders/options?
TWEL
TWELOP10mo ago
I do agree with acknowledge information, than set 12 months period and enable all of the toggles
Chaika
Chaika10mo ago
that's really strange..I can't reproduce that. Are any of the sliders/settings preset when you open the menu? (ex. is Enable HSTS at the top enabled when you first open it?)
TWEL
TWELOP10mo ago
All toggles on a configure page were not, when I first opened “enable HSTS”. But all the attempts I’ve tried after you’ve suggest to do it again all the toggles were enabled and the period was set to 12 months If that’s what you’ve asked
Chaika
Chaika10mo ago
I would try disabling enable hsts/saving and then re-enabling. If that doesn't work, could just force the header with a transform rule, not hard to do, silly though I see the header now
TWEL
TWELOP10mo ago
It worked, but not the way we thought it could. At first I’ve tried to toggle settings off and on. That didn’t help. Than I’ve clicked “cancel” on a setting page and the new button appeared! “Enable HSTS”! Check the screenshots
No description
No description
Chaika
Chaika10mo ago
ooh you didn't see that button on top at all before you're doing this on phone or something?
TWEL
TWELOP10mo ago
Thank you @Chaika ✨🫶 I am a happy owner of whatever benefits this setting does now☺️ Yep! That did not appear at all The “proof screenshot” got cut, but there is no enable HSTS toggle on it
Chaika
Chaika10mo ago
sorry should have been more precise about the buttons lol
TWEL
TWELOP10mo ago
Nah, I’ve checked dozens of articles, glad I’ve asked here. Thank you so much for instant response☺️
Chaika
Chaika10mo ago
The main idea is to prevent downgrade attacks, just with the http header alone, once the browser sees it, it will refuse to fallback to http (plaintext/insecure) and cache that setting, HTTPS forever. If you put your site into hstspreload your site will become hard-coded inside of Chrome and Firefox and browsers will always connect straight over https and refuse to downgrade. Some entire TLDs like dev have it enabled (no .dev site can be http, at least via browsers)
TWEL
TWELOP10mo ago
Good to know! Hope this thread will be indexed and will help others
Want results from more Discord servers?
Add your server