James,
On 10/14/25 6:05 PM, James H. H. Lampert wrote:
On 10/13/25 4:36 PM, Christopher Schultz wrote:
I agree with Olaf that the risk is minimal, but if you are super
worried you can do this: enable HSTS with a max-age of something short
like 5 minutes. DO NOT ENABLE PRELOAD. Do not "include subdomains".
Put it out there and make sure you can load your test site.
Once you are happy that (a) the HSTS header is present and (b)
everything works, you can raise the max-age to something higher and
more useful. Qualys's SSL Server Test will give you a higher score if
HSTS is enabled and the max-age is high enough.
At this point, you can enable PRELOAD and the browser vendors will
seed their products with your site's domain in their HSTS lists. At
this point, no browser will ever visit your web site again with plain-
old HTTP.
I tried it on the guinea-pig box with 60 seconds, and it worked, at
least far enough to present a sign-on page.
The complaint in the report is demanding that the max-age is less than a
full year, and that includeSubDomains is absent. So my second test is
with a full year, and includeSubDomains.
Increasing the max-age isn't a big deal, but includeSubDomains *can be*
a big deal. If you use www.example.com for everything and you
essentially have a single service then everything is fine, but if you
have other services on another.example.com and those can't use HTTPS
then it's critically important that you do not enable
"includeSubDomains", otherwise you'll basically kill those other services.
This is more impactful when you are using example.com without any "www"
prefix, or you have complicated domain name deployments.
As to preload, (1) the word literally never occurs in the report with
the complaint, (2) the webapp is not intended for public use, and (3) no
browser has ever been able to visit it with "plain-old HTTP," because
(going back to Tomcat 7) it has never been set up to serve "plain-old
HTTP" (it's never been set up to even listen on 80 or 8080).
Preload will just load your domain into the preload list for browsers.
The reason that's helpful is to close the "TOFU" (trust on first use)
hole. If an attacker can MITM your client the first time they try to use
the service, then they can downgrade the connection from HTTPS to HTTP
and strip-out the HSTS headers, removing their efficacy.
Adding preload means that the browser knows to always use HTTPS even
before it makes a connection and sees the HSTS header for the first time.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
