HSTS Header does not work

Keywords: WordPress - AWS - How to - Secure Connections (SSL/HTTPS)

Description:
I have an AWS Lightsail (Wordpress) site running on Bitnami.
I want to enable HSTS and get it added to the preload list, but it isn’t working.
I tried everything in this article but it doesn’t work according to this site.

I added this line

**Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"**

Inside this block

Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload ...

I get this error when I test it:
Response error: No HSTS header is present on the response.

<Directory "/opt/bitnami/apps/wordpress/htdocs">
    Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
....
...
</Directory>

Hi @BufordTJustice,

Thanks for using Bitnami. I see you opened a new thread regarding issues with the bnsupport tool. While this is solved, can you share the bnsupport tool code to take a look into it? If possible, please run the tool again on your server and share with us the most recent code, so the information is up to date.

Did you also restart Apache after updating the config file for changes to take effect? If not, please do so by running the next command

sudo /opt/bitnami/ctlscript.sh restart apache

Regards,
Gonzalo

Hi Gonzalo,

I created a new code - ce49ff6d-1d43-4968-9e48-30682ec2c90d

I did restart Apache for the change, and did again just now. On https://hstspreload.org/, I still get a report of no HSTS header.

Hi @BufordTJustice,

Thanks for your message. I checked your website with curl and the headers are added for HTTPS as you can see below

$ curl -LI "http://www.col***an.com"
HTTP/1.1 301 Moved Permanently
Date: Wed, 14 Jul 2021 14:09:33 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Location: https://www.col***an.com/
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 200 OK
Date: Wed, 14 Jul 2021 14:09:34 GMT
Server: Apache
X-Powered-By: PHP/7.3.14
Link: <https://www.col***an.com/wp-json/>; rel="https://api.w.org/", <https://www.col***an.com/wp-json/wp/v2/pages/2217>; rel="alternate"; type="application/json", <https://www.col***an.com/>; rel=shortlink
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Cache-Control: max-age=0, no-cache
Content-Type: text/html; charset=UTF-8

In the official website you shared, I see one of the points ask you to include the config in the HTTP website too

  • If you are serving an additional redirect from your HTTPS site, that redirect must still have the HSTS header (rather than the page it redirects to).

can you try to include the config line in the /opt/bitnami/apache2/conf/bitnami/bitnami.conf file right below the DocumentRoot directive? After that, please restart Apache and run the same command I shared above. Do you see the config in both sections?

Thank you Gonzalo.

I added that block to the bitnami.conf. Also, should it be ‘add’ or ‘set’? I had add, but changed it to set - in both places. Restarted apache. Ran the Curl command.

I get the same output that you did above. Should we expect to see another HTTP/1.1 section in the output?

By the way, this is the site that led me to hstspreload. These sites still indicate an issue.

Hi @BufordTJustice,

Thanks for your message. I did the modifications in a fresh new WordPress installation in the same files you did and it is working fine for me. Can you run the bnsupport tool again and send us the new code? I’d like to take a look to the updated configuration

$ curl -kLI "thisserver.com:8080/"
HTTP/1.1 302 Found
Date: Fri, 16 Jul 2021 09:21:51 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Location: https://thisserver.com:8443/
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 200 OK
Date: Fri, 16 Jul 2021 09:21:51 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Vary: Cookie,Accept-Encoding
X-Powered-By: PHP/7.4.19
Link: <https://thisserver.com:8443/wp-json/>; rel="https://api.w.org/"
Content-Type: text/html; charset=UTF-8

thisserver.com is just an alias I did for 127.0.0.1. And I’m using ports 8080 and 8443 because ports 80 and 443 were already in use, but it shouldn’t make any difference.

I wonder if you try via AWS (Route53 and Lightsail) instance if that’ll make a difference in the result. That is how mine is deployed. Here is the new code: 13dbdcef-d526-bda3-1bbd-e811a5f8aa9a

Thank you!

Hi @BufordTJustice,

Thanks for the new code. I think I know where is your issue now. You added the new header inside the Directory section of the bitnami.conf file instead of below the DocumentRoot line that I mentioned. Can you move the line there, restart Apache and try again?

Your current config (sending the important part of the file only)

(...)
<VirtualHost _default_:80>
  DocumentRoot "/opt/bitnami/apache2/htdocs"
  RewriteEngine On
  RewriteCond %{HTTPS} !=on
  RewriteCond %{HTTP_HOST} !^(localhost|127.0.0.1)
  RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

  # ---------------------------------------------------

  <Directory "/opt/bitnami/apache2/htdocs">

    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

(...)

It should be read like this one instead

(...)
<VirtualHost _default_:80>
  DocumentRoot "/opt/bitnami/apache2/htdocs"
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  RewriteEngine On
  RewriteCond %{HTTPS} !=on
  RewriteCond %{HTTP_HOST} !^(localhost|127.0.0.1)
  RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

  # ---------------------------------------------------

  <Directory "/opt/bitnami/apache2/htdocs">


(...)

This is the place where I set the header in my testing and it worked fine for me

Thank you @gongomgra, that was my mistake. Good find! I added that in the correct location, restarted apache and ran the diagnostic tool: 7990aff4-6eb0-3c57-4c7f-0a1a8aaadb80

https://hstspreload.org/ now says I am sending HSTS over HTTP which is unnecessary, and it looks like it isn’t getting it over HTTPS.

Hi @BufordTJustice,

Thanks for your message. I think I have misunderstood the docs. I checked your bnsupport bundle again and I have another idea. I see this error message in the website when providing your domain

`www.co***an.com` is a subdomain. Please preload `co***an.com` instead. (Due to the size of the preload list and the behaviour of cookies across subdomains, we only accept automated preload list submissions of whole registered domains.)

I also missed the non-www to www redirection previously (my fault), and according to the error message above, I understand you need to send the header before doing the redirect to the www subdomain. Can you add the header in the bitnami.conf file into the VirtualHost 443 section? I’m sharing the relevant section of the file with the line added.

(...)
<VirtualHost _default_:443>
  DocumentRoot "/opt/bitnami/apache2/htdocs"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

  RewriteEngine On
(...)

Also, I understand now that you can comment-out (by placing a # character at the beginning of the line, the header we added yesterday (for HTTP), and the one in the apps/wordpress/conf/httpd-app.conf, that will be adding it for the www subdomain.

Hi @gongomgra, that was it!!

I commented out the two places you mentioned and added the statement to the 443 Virtual Host. Restarted apache.

On https://hstspreload.org/, I get no errors now, and I can now submit for preload.

Do you want a support code to have a look? Otherwise, this solved the issue for me.

Hi @BufordTJustice,

Thanks for the info. I’m glad you fixed your issue! We will close this thread as solved. Please do not hesitate to open a new one with any other questions you may have.