On 17.01.23 11:45, Deepti Sharma S wrote:
Hello,
I have tried with both Chrome and Mozilla in private window where information
is not cached. HSTS is not working on custom ports.
I'm not confident that HSTS is among those cached values that are not
shared between normal and incognito mode.
Try curl -v
As far as I know, curl does not save any HSTS state anywhere.
Thomas' suggestion makes the most sense: Once your browser knows
positively that it absolutely must connect through https on port 443, I
can easily imagine it never even to attempt to try 8080.
Also, according to the specs: The browser will - under no circumstances
- connect to your host through http.
The specs say:
|The UA MUST replace the URI scheme with "https" [RFC2818], and if the
URI contains an explicit port component of "80", then the UA MUST
convert the port component to be "443", or>> if the URI contains an
explicit port component that is not equal to "80", the port component
value MUST be preserved; otherwise, if the URI does not contain an
explicit port component, the UA MUST NOT add one. NOTE: These steps
ensure that the HSTS Policy applies to HTTP over any TCP port of an HSTS
Host.|
So, if you connect to 8080 from your browser, your browser would try to
speak https to port 8080 if it has already seen the HSTS header before.
Olaf
