AnsweredAssumed Answered

Strict Transport Security header

Question asked by Clerkendweller on Nov 25, 2010
Latest reply on Nov 25, 2010 by Clerkendweller

Using SSl Labs, I looked at a few sites with Strict-Transport-Security enabled, and they don't all seem to be being marked as "Yes" in SSLLabs e.g. a PayPal server:


Date: Thu, 25 Nov 2010 11:24:19 GMT
Server: Apache
Cache-Control: private
Pragma: no-cache
Expires: Thu, 05 Jan 1995 22:00:00 GMT
Set-Cookie: .....
Apache=; path=/; expires=Sat, 17-Nov-40 11:24:19 GMT
Vary: Accept-Encoding
Content-Encoding: gzip
Strict-Transport-Security: max-age=500
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8


200 OK


In SSL Labs:
  Strict Transport Security     No


I realise these two might not be the same server, but I would imagine PayPal have this header on all their servers?  I also get the impression, that some data (e.g. header signature) are being cached in SSL Labs, even when "Clear cache" is selected, and wonder if this is related.