I have this website set up:
http://website1.com/ - returns 301 Moved Permanently and redirects to http://www.website1.com/.
http://www.website1.com/ - returns 301 Moved Permanently and redirects to https://www.website2.com/.
https://www.website2.com/ - returns 200 OK and has this in the response:
strict-transport-security: max-age=31536000; includeSubDomains
I have this subdomain running a web app: https://subdomain.website1.com/ This also has the following header in the response:
Strict-Transport-Security: max-age=31536000; includeSubDomains
I want to have preload functionality for all sub domains of website1.com/. However, I get the following errors when checking eligibility:
Error: No HSTS header
Response error: No HSTS header is present on the response.
Error: HTTP redirects to www first
http://website1.com (HTTP) should immediately redirect to https://website1.com (HTTPS) before adding the www subdomain.
Right now, the first redirect is to http://www.website1.com/.
The extra redirect is required to ensure that any browser which supports HSTS will record the HSTS entry for the top level domain, not just the subdomain.
The first error is easy, I can just add the HSTS header.
But why does it matter that there's a redirect?
All I want is for http://subdomain.website1.com/ to make an internal redirect to https://subdomain.website1.com/, and for http://website1.com/ to internally redirect to https://website1.com/.
Can't http://website1.com make an internal redirect to https://website1.com, regardless of the fact that it redirects to www.website1.com/?
I have this website set up: http://website1.com/ - returns 301 Moved Permanently and redirects to http://www.website1.com/.
This is your issue. http://website1.com should redirect to https://website1.com then on to https://www.website1.com.
This way the top level website1.com domain will pick up the HSTS header and protect itself and all sub domains (assuming it has includeSubDomains attribute set - which is a pre-requisite for preloading).
Without switching to HTTPS first, or if you skip straight to https://www.website1.com then the browser will never see the HSTS header on the top level domain and so know that it (and all sub domains) should be protected by HSTS. This is 1) less secure and 2) more risky when preloading as maybe you still have a non-HTTPS site (e.g. http://blog.website1.com or http://intranet.website1.com). By forcing you to set this up before you preload it, will hopefully surface those issues, when it’s still possible to reverse HSTS (which is basically impossible after its preloaded into browser’s source code - at least for many months anyway).
And the risk of accidentally locking out a non-HTTPS subdomain with preload is one reason I’ve argued in the past that preload is potentially more risky than useful, and overkill for most sites. But with HTTPS becoming the norm, I’m less against it now. Still think it’s a bit overkill except for high target sites though.
Btw for the first error, make sure HSTS header is included on 301 redirects. For Apache for example you need always set rather than just set as explained here: https://stackoverflow.com/a/48103216/2144578