Hsts on main port 80, not on other ports

hsts

I have set hsts for my domain on the site http://server.mydom.tld:80, so the brower goes to port https://server.mydom.tld on port 443

However, I also have other webservers, running on other ports.
So when I go to http://server.mydom.tld:8888 it gets forwarded to https://server.mydom.tld:8888, but that server does not run https, so the request fails.

Is that according to spec?

I noticed I don't run hsts on http://mydom.tld or http://www.mydom.tld, which is probably a mistake.

What to do?

Best Answer

Yes, this is intentional. RFC 6797 states:

     The UA MUST replace the URI scheme with "https" [RFC2818], and

     if the URI contains an explicit port component of "80", then
     the UA MUST convert the port component to be "443", or>>

     if the URI contains an explicit port component that is not
     equal to "80", the port component value MUST be preserved;
     otherwise,

     if the URI does not contain an explicit port component, the UA
     MUST NOT add one.

     NOTE:  These steps ensure that the HSTS Policy applies to HTTP
            over any TCP port of an HSTS Host.

You should run plain HTTP services on a different domain, or even better, use a HTTP+TLS server as a reverse proxy to the internal plain HTTP service.

Best Answer

Related Solutions

Disable HSTS and HPKP

Hsts apache 2.4 not triggering

Related Topic