1

Scanning a website using https://observatory.mozilla.org gives me the following error: Initial redirection from http to https is to a different host, preventing HSTS.

Question

  • Is this a genuine issue with my setup, or a bug in the tool where it's not seeing the subdomain as being part of the same domain?
  • Can anyone advise what I may be missing based on the additional info below?

Detail

This site's domain is registered with Google Domains. To ensure anyone accessing the site via example.com is automatically redirected to www.example.com I've set up sub domain forwarding with the following rule:

example.com → https://www.example.com 
Permanent redirect (301), Forward path

Additionally I have rules in the (asp.net) site's web.config to redirect any HTTP connections to HTTPS, and to add the Strict-Transport-Security HTTP header (when presented via HTTPS only, per the famous Scott Hanselman blog's advice):

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="HTTP to HTTPS redirect" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
                </rule>
            </rules>
            <outboundRules>
                <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
                    <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
                    <conditions>
                        <add input="{HTTPS}" pattern="on" ignoreCase="true" />
                    </conditions>
                    <action type="Rewrite" value="max-age=63072000; includeSubDomains; preload" />
                </rule>
            </outboundRules>
        </rewrite>
        <httpProtocol>
            <customHeaders>
                <remove name="X-Powered-By" />
                <!-- add name="Strict-Transport-Security" value="max-age=63072000; includeSubDomains; preload" / -->
                <add name="Content-Security-Policy" value="default-src 'self';" />
                <add name="X-Content-Type-Options" value="nosniff" />
                <add name="X-Frame-Options" value="DENY" />
                <add name="X-Xss-Protection" value="1; mode=block" />
            </customHeaders>
        </httpProtocol>
    </system.webServer>
</configuration>

The site itself is hosted in Azure (under my Visual Studio Subscription free credits). The site's URL here is example.azurewebsites.net, and in Google Domains I have a CName pointing www at example.azurewebsites.net (under custom resource records).

Community
  • 1
JohnLBevan
  • 1,408
  • 9
  • 28
  • 57

0 Answers0