Redirect to https and only after to www when HSTS and www prefered domain are enabled
Hello, it would be good if Plesk can redirect to https and only after to www when www prefered domain is enabled because when submitting your domain on https://hstspreload.org it gives me this error (I replaced my domain by a fake one obviously)
Anonymous
shared this idea
Thank you for your input! We will consider this functionality in upcoming releases if it will be popular. Everyone, please continue voting for this feature if you consider it important.
—
IG
2 comments
-
Anonymous
commented
Implementation of this "feature" should not depend on popularity. It is the only right *and* secure way to redirect from non-www to www domain. If this is not done, then the HSTS header is never sent for the non-www version of the domain, allowing MITM attacks / stripping HTTPS.
IMHO Plesk should use the secure way by default: redirect from HTTP to HTTPS first (allowing the HSTS header to be sent) and *then redirect from non-www to www.
If there really are people who wish to not do this, avoid one redirect and immediately redirect to https://www.domain.tld, then allow them to override the secure default. IMHO this is over-optimization, as these days (with HTTP/2) there is not nearly as much overhead as there was before.
Please fix this if this is not done already. :-)
-
Anonymous
commented
And it also should give the ability to put one year to the max-age var.