Don't send 2 HSTS headers when RequireSSL option is enabled

26 April 2014, 12:35
Could you please either create a new configuration option for HSTS or stop sending a HSTS header when RequireSSL is enabled? For example, I want to set a custom period of time and also set the includeSubDomains directive in the header, but I can't do that when RequireSSL is enabled without ending up with 2 contradictive HSTS headers in the HTTP response.

For the sake of simplicity, I'd vote for not implicitly sending an HSTS header when RequireSSL is enabled (especially since that behaviour is not documented anywhere). There is an example about how to set the HSTS header using the CustomHeader option in the manual already, so there is no need for a new HSTS specific option in hiawatha.conf. You could perhaps add a hint to the RequireSSL section in the manual ("If you enable RequireSSL, you probably also want to set a HSTS header using the CustomHeader option") and change the HSTS example in the CustomHeader section to include the includeSubDomains directive, though.
Hugo Leisink
26 April 2014, 16:25
Good point. I'll make the HSTS header optional via the RequireSSL setting. For your info, the HSTS header should only be send via HTTPS connections, not via HTTP. So, the CustomHeader is not really an option.
27 April 2014, 18:07
Well, I could simply create 2 distinct VHosts, one for port 80 and one for port 443. I'd even prefer this solution over adding more complexity to Hiawatha's code as long as the result is the same.

The only feature that I'm *really* missing is OSCP stapling, but I guess that will first have to be implemented in PolarSSL:
This topic has been closed.