This plugin does make the the website HSTS eligible!!
However you are right that the plugin does not allow sites to havde hsts preloaded if their canonical url is not the root domain (they are still hsts, ie the brower will remember they are hstst on¡ce they have been visitted). I will need to look into this, I whilst I think I can patch this it might cause other problems.
I mean it didn’t in my case – and probably thousands of other websites that use the www sub-domain.
I never managed to get it to work with your plugin installed despite tons of ‘hacks’ with manual redirects and different WordPress configuration settings.
I did however install another plugin that actually handled it all and when setting the HTST header in .htaccess, it passed the preload check.
The plugin was JSM’s Force SSL / HTTPS if that’s any use to you.
I think you misunderstand the point.
Whether hsts is pre loaded or not the the website is hsts compliant
It is just in one case the that fact is preloaded ie included in Chrome’s HTTP Strict Transport Security (HSTS) preload list. This is a list of sites that are hardcoded into Chrome as being HTTPS only.
If the browser ever visits example.com directly it will (after that visit) be remembered as hsts.
Thankyou though I will look at that plugin, the solution is not that hard but I need to think about it as it may cause other problems.
Sorry, I don’t think I worded it correctly. Yes, technically, the website is HSTS compliant but because of the WordPress handling of it’s internal www redirect, it just wouldn’t let me submit the domain to the browser preload list. You get what I’m saying though so thanks for looking into it 🙂
Zigojacko,
after mre analysis, yes I can get the redirect to to the https version of the subdomain first and also send the hsts headers before that redirect. see example here:
http://www.northerntouch.org
BUT it still will not be added to the list, in fact subdomains cannot be added to the list. Do you have an example of website where you have this working using the other plugin you mentioned?
Pete
Hello, can you send a sample link?
-
This reply was modified 7 years, 6 months ago by
shawfactor.
-
This reply was modified 7 years, 6 months ago by shawfactor.
Sorry for the delay in replying.
I unfortunately don’t have an example for you any longer because the website uses a different plugin now which we got working but in fact (for other reasons), we switched the domain to the non-www version by default too.
If it still of any use for you though, the website in question was factoringsolutions.co.uk.
hmm I installed the jsm plugin, did not work at all. As far as I can ee it only does https anyway…
Also as a far as I can see the preload list does not take no root domain anyway, so I don´t think there is a solution to this….
I am resolving this for good order, but will still monitor the thread.
