How to find if a web site uses HSTS

Question

I'm totally new to curl and am trying to ascertain if websites use Strict-Transport-Security.

I'm running off advice. I've been told to check against Chrome's preloaded list and to run

curl -D - https://www.example.com | head -n 20

to check for Strict-Transport-Security headers.

But the 'head' command generated an error and was unknown.

Any ideas?

ATM I'm running Win XP, will have a linux distro in a few days.

Thanks.

Answer 1

That method is fine.

$ curl -s -D- https://paypal.com/ | grep Strict
Strict-Transport-Security: max-age=14400

As you've noticed, some webservers just refuse to honour HEAD requests. curl will print the headers for a GET request with -v:

$ curl -s -vv https://paypal.com/ 2>&1 | grep Strict
< Strict-Transport-Security: max-age=14400

The < means the header is one returned by the server to you.

Actual example.com, as in your example, won't work as it doesn't listen on https:// at all:

$ curl -D- https://www.example.com
curl: (7) couldn't connect to host

As the Strict-Transport-Security header is only honoured if it is delivered over https://, it's very safe to assume that any site that doesn't respond to on https:// isn't using STS, especially as it would have no reason to do so.