Server Header Related Info | issues on GitHub - conditional redirect in .htaccess - janwillemstegink.nl | |
hostingtool.nl | www.hostingtool.nl | |
initial: 302 - https://hostingtool.nl/ | initial: 302 - https://www.hostingtool.nl/ | |
destination: (No cURL on the same server) | destination: (No cURL on the same server) | |
An apex domain is a root domain that does not contain a subdomain part. | The www subdomain has been considered unnecessary. There are some useful aspects. | |
CNAME redirection is not allowed from the root domain. | If you host elsewhere, such as with microsoft.com, email traffic can remain secure. | |
For a URL with a subdomain such as www, HSTS can be set more precisely. | ||
A: 136.144.238.43 - fallback.hostfusion.nl AAAA: 2a01:7c8:d008:32:5054:ff:fee8:665a - fallback.hostfusion.nl | A: 136.144.238.43 - fallback.hostfusion.nl AAAA: 2a01:7c8:d008:32:5054:ff:fee8:665a - fallback.hostfusion.nl | |
priority target: 0 . | priority target: 0 . | |
google-site-verification=yxZ4fFAPgXJtLhym2DA0fBqu5ug2Q4vyMy6J34SCpSA v=spf1 -all | v=spf1 -all | |
RFC 9116: The "Expires" field indicates the date and time after which the data contained in the "security.txt" file is considered stale and should not be used (as per Section 5.3). | ||
RFC 9116: It is RECOMMENDED that the value of this field be less than a year into the future to avoid staleness. | ||
Suggestion 1: The data contained in the "security.txt" file MUST expire on the date and time as in the "Expires" field, due to the desirability of an annual audit cycle. | ||
Suggestion 2: For the one-off annual cycle check to work, the "Expires" field date and time is maximally 398 (366+31+1) days into the future, equal to the TLS Certificate Lifespan. | ||
Suggestion 3: Annual audit requires a scheduled date on an office calendar; and customer requests cannot be dealt with if concentrated in one part of the year. | ||
https://hostingtool.nl/security.txt | https://www.hostingtool.nl/security.txt | |
No HTTP 200 OK. | No HTTP 200 OK. | |
https://hostingtool.nl/.well-known/security.txt https://janwillemstegink.nl/.well-known/security.txt | https://www.hostingtool.nl/.well-known/security.txt https://janwillemstegink.nl/.well-known/security.txt | |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Contact: mailto:techdesk@hostfusion.nl Expires: 2024-12-31T23:59:59.000Z Preferred-Languages: nl, en, de, fr # Customer .htaccess: Redirect 302 /.well-known/security.txt https://janwillemstegink.nl/.well-known/security.txt Canonical: https://janwillemstegink.nl/.well-known/security.txt Canonical: https://www.janwillemstegink.nl/.well-known/security.txt Encryption: https://janwillemstegink.nl/gpg.asc -----BEGIN PGP SIGNATURE----- iQFLBAABCAA1FiEEksXloq3N4Jr349WSVP1h4EYjfIMFAmVWwUQXHHRlY2hkZXNr QGhvc3RmdXNpb24ubmwACgkQVP1h4EYjfIPruAf+ONEh3iW1hK21MsYcqDxlP/oP oHxu5gBCNEG/C8krPKPnRFkX1sJx6KdtnvZw82NZb/RsKwi/8840uqL6eIHWkhUg OEJIoXxPkeeCEdOZxCyz28zw4hsgPVAFiuUgVznMa9XRbbwz8BBMLwZrycfHKpS5 RP6fT5bjCqxlm2V1BVSiUf6S7i3x4TrC/Mtf9LRjePurpQfb8IWTtBD0LJVGlEVI T1tvUdBIhidQ97cbjbx9FfxVy4uOZ7XeL5rSndNOyJNcfmqhpeNskXsxxFXofuh8 H55z37vT1KnDT1/gEoe98JLkConmed4spzdftMKkH8KIosF5005xsKFr+IH+Bw== =5tR1 -----END PGP SIGNATURE----- | -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Contact: mailto:techdesk@hostfusion.nl Expires: 2024-12-31T23:59:59.000Z Preferred-Languages: nl, en, de, fr # Customer .htaccess: Redirect 302 /.well-known/security.txt https://janwillemstegink.nl/.well-known/security.txt Canonical: https://janwillemstegink.nl/.well-known/security.txt Canonical: https://www.janwillemstegink.nl/.well-known/security.txt Encryption: https://janwillemstegink.nl/gpg.asc -----BEGIN PGP SIGNATURE----- iQFLBAABCAA1FiEEksXloq3N4Jr349WSVP1h4EYjfIMFAmVWwUQXHHRlY2hkZXNr QGhvc3RmdXNpb24ubmwACgkQVP1h4EYjfIPruAf+ONEh3iW1hK21MsYcqDxlP/oP oHxu5gBCNEG/C8krPKPnRFkX1sJx6KdtnvZw82NZb/RsKwi/8840uqL6eIHWkhUg OEJIoXxPkeeCEdOZxCyz28zw4hsgPVAFiuUgVznMa9XRbbwz8BBMLwZrycfHKpS5 RP6fT5bjCqxlm2V1BVSiUf6S7i3x4TrC/Mtf9LRjePurpQfb8IWTtBD0LJVGlEVI T1tvUdBIhidQ97cbjbx9FfxVy4uOZ7XeL5rSndNOyJNcfmqhpeNskXsxxFXofuh8 H55z37vT1KnDT1/gEoe98JLkConmed4spzdftMKkH8KIosF5005xsKFr+IH+Bw== =5tR1 -----END PGP SIGNATURE----- | |
RFC 6797, 8.1: If a UA receives more than one STS header field in an HTTP response message over secure transport, then the UA MUST process only the first such header field. | ||
Strict Transport Security over secure HTTPS is called HSTS. The server header is only compliant, even if it is just a URL redirect, with a functioning HSTS security header. | ||
Although browsers do not strictly enforce this rule above, the internet.nl tool tests that the URL is also the first URL over HTTPS for a security header to work. | ||
With multiple HSTS header values - an application can also set a security header - strictly speaking, the first security header applies to the user agent (UA). | ||
The internet.nl tool does only test for an initial header in the initial server header area. | ||
In practice, the last security header is chosen, as in the securityheaders.com tool. Note: The securityheaders.com tool does not test and report correctly on rewrite to HTTPS and redirection. | ||
General approach: Comply with proper initial reading of security headers from the server header(s), and note the interpretation of a subsequent value from an identical security header. | ||
First rewrite the URL to HTTPS using the checkbox in the control panel, secondly set security header values, and finally, if applicable, (conditionally) redirect in the 301 or 302 way. | ||
A server header requires sufficient settings before public Internet access can be used safely. And avoid the HSTS preload list without understanding its implications. | ||
0:HTTP/1.1 302 Found Date: Fri<br />1: 26 Apr 2024 08:34:44 GMT Server: Apache/2 X-Powered-By: PHP/8.3.6 Strict-Transport-Security: max-age=63072000; includeSubDomains Upgrade: h2<br />2:h2c Connection: Upgrade Location: server_headers X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff Referrer-Policy: same-origin X-Frame-Options: SAMEORIGIN Content-Security-Policy: default-src 'none'; base-uri 'none'; frame-src 'self'; connect-src 'self'; form-action 'self'; font-src 'self' data:; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' data:; Permissions-Policy: geolocation=() Vary: User-Agent Content-Type: text/html; charset=UTF-8 <br /> | 0: HTTP/1.1 302 Found Date: Fri<br />1: 26 Apr 2024 08:34:44 GMT Server: Apache/2 X-Powered-By: PHP/8.3.6 Strict-Transport-Security: max-age=63072000; includeSubDomains Upgrade: h2<br />2: h2c Connection: Upgrade Location: server_headers X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff Referrer-Policy: same-origin X-Frame-Options: SAMEORIGIN Content-Security-Policy: default-src 'none'; base-uri 'none'; frame-src 'self'; connect-src 'self'; form-action 'self'; font-src 'self' data:; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' data:; Permissions-Policy: geolocation=() Vary: User-Agent Content-Type: text/html; charset=UTF-8 <br /> | |
url: https://hostingtool.nl/ content_type: text/html; charset=UTF-8 http_code: 302 header_size: 747 request_size: 131 filetime: -1 ssl_verify_result: 0 redirect_count: 0 total_time: 0.01524 namelookup_time: 0.002896 connect_time: 0.003018 pretransfer_time: 0.014102 size_upload: 0 size_download: 0 speed_download: 0 speed_upload: 0 download_content_length: -1 upload_content_length: -1 starttransfer_time: 0.015198 redirect_time: 0 redirect_url: https://hostingtool.nl/server_headers primary_ip: 2a01:7c8:d008:32:5054:ff:fee8:665a certinfo: Array primary_port: 443 local_ip: 2a01:7c8:d008:32:5054:ff:fee8:665a local_port: 47242 http_version: 2 protocol: 2 ssl_verifyresult: 0 scheme: HTTPS appconnect_time_us: 14067 connect_time_us: 3018 namelookup_time_us: 2896 pretransfer_time_us: 14102 redirect_time_us: 0 starttransfer_time_us: 15198 total_time_us: 15240 | url: https://www.hostingtool.nl/ content_type: text/html; charset=UTF-8 http_code: 302 header_size: 747 request_size: 135 filetime: -1 ssl_verify_result: 0 redirect_count: 0 total_time: 0.015519 namelookup_time: 0.002777 connect_time: 0.002871 pretransfer_time: 0.014229 size_upload: 0 size_download: 0 speed_download: 0 speed_upload: 0 download_content_length: -1 upload_content_length: -1 starttransfer_time: 0.015467 redirect_time: 0 redirect_url: https://www.hostingtool.nl/server_headers primary_ip: 2a01:7c8:d008:32:5054:ff:fee8:665a certinfo: Array primary_port: 443 local_ip: 2a01:7c8:d008:32:5054:ff:fee8:665a local_port: 47252 http_version: 2 protocol: 2 ssl_verifyresult: 0 scheme: HTTPS appconnect_time_us: 14194 connect_time_us: 2871 namelookup_time_us: 2777 pretransfer_time_us: 14229 redirect_time_us: 0 starttransfer_time_us: 15467 total_time_us: 15519 | |