HTTP Strict Transport Security not enforced for IP addresses

Question

HTTP Strict Transport Security not enforced for IP addresses

I installed the certificate for the IP address with nginx and enabled http secure transport security:

add_header  Strict-Transport-Security "max-age=31536000; includeSubdomains;";

Directive is in the title

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 17 Sep 2014 22:46:54 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubdomains;
X-UA-Compatible: IE=Edge,chrome=1

... but it is not respected by browsers (instead, they run for the fully qualified domain name).

+4

ssl nginx ssl-certificate

MultiformeIngegno Sep 17 '14 at 22:49

source share

1 answer

Alexey Ten · Accepted Answer · 2014-09-18T06:25:47+0000

If you understand correctly, are you redirecting the browser to an IP address ( https://xx.xx.xx.xx/) instead of a domain name and expect it to abide by the HSTS rule?

But RFC 6797 Appendix A explicitly excludes IP addresses:

HSTS . IP- .

HTTP Strict Transport Security not enforced for IP addresses

More articles: