Is a 302 redirect honored?

[shaunwarman]

Trying https://fowardemail.net there is a 302 redirect to https://forwardemail.net/<locale> (e.g. https://forwardemail.net/en) where hsts header is present

Strict-Transport-Security: max-age=31557600; includeSubDomains; preload

hstspreload.org responds with Error: No HSTS header Response error: No HSTS header is present on the response.

Does the missing hsts header on the initial response and 302 redirect to where hsts header is present cause the issue?

I can see http -> https redirect via 301.

 wget -O- --no-hsts http://forwardemail.net:80
--2020-10-16 07:51:50--  http://forwardemail.net/
Resolving forwardemail.net (forwardemail.net)... 167.71.85.68
Connecting to forwardemail.net (forwardemail.net)|167.71.85.68|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://forwardemail.net/ [following]
--2020-10-16 07:52:00--  https://forwardemail.net/

Using competitors like https://gf.dev/hsts-test says things are good.

[lgarron]

The header has to be sent on the response to / itself, even if there's a redirect to the same origin.

Depending on your server software, there may be a separate settings to do this for redirects. For example, in Apache you have to use the always keyword for this:

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" env=HTTPS

[niftylettuce]

thanks @lgarron, @shaunwarman you can close this

@lgarron it might be good to make a note in the landing page that "if you 302 redirect to i18n landing pages like /en, note that your 302 redirect needs the HSTS header present" - not sure if many others have this but would be good to dummy-proof (since other sites follow their redirects on HSTS tests, and hstspreload.org does not).

[nharper]

I think mentioning i18n is a bit too specific. The Deployment Recommendations mentions adding the Strict-Transport-Security header to all HTTPS responses. Would it help to clarify that by adding "including redirects"?

[niftylettuce]

that'd be great