I've set up Apache to use HSTS as follows just for testing and learning purposes only:
/etc/apache2/sites-enabled/000-default.conf
NameVirtualHost 192.168.3.55:80
NameVirtualHost 192.168.3.55:443
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
<VirtualHost www:80>
ServerName www
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
</VirtualHost>
<VirtualHost www:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ServerName www
SSLEngine on
SSLCertificateFile "/etc/apache2/ssl/mysitename.crt"
SSLCertificateKeyFile "/etc/apache2/ssl/mysitename.key"
Header always set Strict-Transport-Security "max-age=63072000;includeSubdomains;"
</VirtualHost>
I can connect to port 80 and port 443 just fine. The first site is not encrypted and the latter is. All Good there.
After I visit HTTPS site, I see the hsts headers just fine:
Strict-Transport-Security:max-age=63072000; includeSubdomains;
When I then type in http://www I do see:
Upgrade-Insecure-Requests: 1 in the header using developer tools
However, the browser connects to the HTTP site, I tcpdump the request and see the response is in the clear as well still.
Shouldn't it be a secured connection or am I missing something? I thought the browser would only attempt to visit the secured site from now on)
It might be a result of your attempt to obfuscate the domain name but HSTS requires the FQDN
www.example.comand won't work with short hostnames such aswww.Since I'm testing I don't have a valid cert, it was self signed. Oops. Live and learn.