AnsweredAssumed Answered

Please fix HSTS detection

Question asked by Gaspard d'Hautefeuille on Aug 15, 2015
Latest reply on Jan 8, 2016 by Matthew Ames



According to RFC 7230, "each header field consists of a case-insensitive field name followed by a colon (":"), optional leading whitespace, the field value, and optional trailing whitespace.".

I migrated from nginx to h2o web server. At the moment, only the second-level domain (the TLDs and other SLD are not yet configured). For HSTS, I added in h2o.conf: header.add: "strict-transport-security: max-age=15724800; includeSubDomains" but it seems that SSL Labs only supports the HSTS header in the common uppercase writing: Strict-Transport-Security. So, I ask you to support the lowercase writing.


Screenshot 2015-08-16 at 03.50.00.png


HSTS is not detected even if HSTS is enabled.


Screenshot 2015-08-16 at 03.55.24.png


Could you please fix HSTS detection?