Menu
I set up a cert for an IP address with nginx, and enabled http strict transport security:
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
The directive is in the header
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 17 Sep 2014 22:46:54 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubdomains;
X-UA-Compatible: IE=Edge,chrome=1
... but it's not respected by the browsers (instead they do for FQDN).
615
If I understand you correctly, you direct you browser to IP address (https://xx.xx.xx.xx/) instead of domain name and expect it to obey HSTS rule?
But RFC 6797 Appendix A explicitly exclude IP addresses:
HSTS Hosts are identified only via domain names -- explicit IP address identification of all forms is excluded.
141
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
