We have a website running in HTTPS on the following URL: abc.example.com.
The problem is that our client thought that any website URL should start with www
and has printed www.abc.example.com
on all its labels…
No problem, I simply created a redirect rule using IIS's URL Rewrite feature to redirect all hostnames to https://abc.example.com
. So far so good.
A few months ago, we received an e-mail from their IS department, stating that abc.example.com
was lacking the Strict-Transport-Security
header. They asked us to implement the following header:
Strict-Transport-Security = max-age=31536000; includeSubDomains; preload.
At that time I was not fully aware of the exact function of this header, so I blindly added it to the website. I did test the website, I just never tested it using www.abc.example.com
.
I only found out just now that this HSTS header will redirect all HTTP URLs to HTTPS URLs by itself, resulting in neglecting my custom redirection rules. The problem now is that users enter http://www.abc.example.com
and get redirected to https://www.abc.example.com
, instead of https://abc.example.com
, resulting in a SSL certificate error because www.abc.example.com
does not have a SSL certificate.
As long as includeSubDomains
is active, there is very little I seem to be able to do to prevent this from happening on the webserver, unless I'd set up a SSL certificate specifically for www.abc.example.com
.
That's why I thought of trying to solving this by redirecting at DNS level, using a CNAME record: www.abc.example.com. CNAME abc.example.com.
My question is, will this work? When a user enters http://www.abc.example.com
, will the CNAME record first redirect this URL to http://abc.example.com
and then succesfully redirect to https://abc.example.com
using the HSTS header? Or will the parameter preload
prevent this from happening, even at DNS level?
Any suggestions or help is appreciated.
Best Answer
No, it will not work. There's no such thing as redirecting on the DNS level; redirection is a feature of HTTP protocol, while DNS (both
A
andCNAME
) records are used only for resolving the IP address.There's also no use trying revoke the situation by removing the header,
as it will be cached on every browser for
31536000
seconds i.e. 365 days.However, if you don't implement HSTS this way, you don't gain much of its benefits as someone could try to modify
http://www.abc.example.com
before it gets redirected tohttps://
.Here, the only exit might be getting a wildcard certificate covering
*.abc.example.com
, or a multi-hostname certificate having both as Subject Alternative Names.