nanoscopic wiki

User Tools

Site Tools

You are here: start » pages » howtos » diagnose » check-hsts-header
pages:howtos:diagnose:check-hsts-header

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
pages:howtos:diagnose:check-hsts-header [2023/01/07 13:01] – removed - external edit (Unknown date) A User Not Logged inpages:howtos:diagnose:check-hsts-header [2023/01/07 13:01] (current) – ↷ Page moved from pages:howtos:misc:check-hsts-header to pages:howtos:diagnose:check-hsts-header rokkitlawnchair
Line 1: Line 1:
 +{{tag>hsts apache security header hardening http https ssl encryption howto}}
 +====== Check HSTS Header ======
 +* [[https://tools.ietf.org/html/rfc6797#section-5.2|Documentation for HSTS]]
  
 +How to check the HSTS header of a Host.
 +
 +===== Host without HSTS =====
 +<sxh bash; gutter: false>
 +curl --head -s https://www.example.com/
 +</sxh>
 +
 +  HTTP/2 200 
 +  accept-ranges: bytes
 +  age: 319222
 +  cache-control: max-age=604800
 +  content-type: text/html; charset=UTF-8
 +  date: Tue, 19 Jan 2021 22:57:03 GMT
 +  etag: "3147526947"
 +  expires: Tue, 26 Jan 2021 22:57:03 GMT
 +  last-modified: Thu, 17 Oct 2019 07:18:26 GMT
 +  server: ECS (nyb/1D1E)
 +  x-cache: HIT
 +  content-length: 1256
 +
 +
 +===== Host with HSTS =====
 +<sxh bash; gutter: false>
 +curl --head -s https://www.sdk.de/
 +</sxh>
 +  HTTP/1.1 200 OK
 +  Date: Tue, 19 Jan 2021 22:56:20 GMT
 +  Server: Apache
 +  Content-Language: de
 +  Expires: Wed, 20 Jan 2021 15:32:32 GMT
 +  Cache-Control: max-age=59772
 +  Pragma: public
 +  Strict-Transport-Security: max-age=16070400; includeSubDomains
 +  Vary: Host,User-Agent
 +  Content-Security-Policy: img-src 'self' data: app.usercentrics.eu maps.googleapis.com www.facebook.com www.youtube.com www.google.com google.com *.google.com www.google.de google.de *.google.de rtclauncher.luware.com rtclauncherapi.luware.com maps.gstatic.com *.ressourcenmangel.de ressourcenmangel.de *.google-analytics.com google-analytics.com maps.google.com *.googletagmanager.com googletagmanager.com googleadservices.com googleusercontent.com *.etracker.com etracker.com *.etracker.de etracker.de stats.g.doubleclick.net; script-src 'self' tagmanager.google.com www.google.de app.usercentrics.eu www.youtube.com s.ytimg.com maps.googleapis.com 'unsafe-inline' 'unsafe-eval' www.facebook.com connect.facebook.net www.google.com rtclauncher.luware.com maps.gstatic.com *.freegeoip.net freegeoip.net app.usercentrics.eu *.googletagmanager.com googletagmanager.com *.etracker.com etracker.com *.etracker.de etracker.de maps.googleapis.com maps.google.com *.google-analytics.com google-analytics.com *.gstatic.com gstatic.com;
 +  X-XSS-Protection: 1; mode=block
 +  Referrer-Policy: no-referrer-when-downgrade
 +  X-UA-Compatible: IE=edge
 +  X-Content-Type-Options: nosniff
 +  X-Frame-Options: ALLOWALL
 +  Content-Type: text/html; charset=utf-8
 +
 +<sxh bash; gutter: false>
 +curl --head -s https://www.sdk.de/ | grep Strict
 +</sxh>
 +  Strict-Transport-Security: max-age=16070400; includeSubDomains
 +
 +----
 +~~DISCUSSION~~