1

I have implemented the HSTS in my ASP.Net MVC based Website. But if I make a HTTP(not HTTPS) request, the request is propagating using the HTTP channel and the response is 301: Moved Permanently. And from the 2nd request onwards, it is communicating using HTTPS.

Is this the correct behavior of HSTS ? I am bit concerned about, if someone deliberately request for http traffic is it still accepting it (the first request).

Improve this question
1
  • 1
    The browser can only pick up the HSTS header after the first visit (if it's not preloaded). So that's exactly the expected behavior. Commented Apr 3, 2017 at 4:23

1 Answer 1

Reset to default
1

There is a concept called TOFU(Trust On First Use) along with HSTS. You need add your URL to the HSTS Preload List to enable your first request with HSTS. It is checking your HSTS attributes such as max-age and includeSubDomains etc... and adds your site to the list if it compliance.

You can check existing HSTS enabled site list in the chromium project git. You can load one of these correctly implemented HSTS sites and check how those are behaving.

You can check the browser (chrome) related HSTS settings using this url

Improve this answer
3
  • 1
    What you wrote about 301 vs. 307 is wrong: there is no performance or security improvement since in both cases the response containing the code is still send to the browser which then creates a new HTTP request to the new target. The main difference is that 307 definitely does not change the request method whereas the semantics with 301/302 are not clear. Apart from that 307 is a temporary redirect (not internal like you've stated) compared to 301 being a permanent redirect - the last being more appropriate since compared to 302/307 the browser will not retry the original URL later. Commented Apr 3, 2017 at 4:56
  • Thanks for the update guys. i think I better add my site to the preload list first. Commented Apr 3, 2017 at 6:03
  • @Steffan: Thanks for the update mate ! I have updated the answer. Commented Apr 3, 2017 at 6:06

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.