Hello, Not strictly a httpd specific issue but nevertheless, Chrome/Firefox should ignore the header because it is not delivered with a valid certificate and thus there is no way of knowing if it was actually issued by the website.
You should get the expected result if you first respond with an HSTS header in a valid TLS request and then *future* requests should be prevented from proceeding if there is a certificate error. This is why HSTS are being preloaded for major websites as that would to cover the first request. For your average website there isn't currently a solution to this. Kind Regards, Scott First Class Watches 9 Warwick Road Kenilworth CV8 1HD Warwickshire United Kingdom On 6 October 2014 22:36, Eddie B <ed...@mattermedia.com> wrote: > I have an https server that sets the HSTS header, but up to date Chrome > (and other HSTS compatible browsers, such as Firefox 32) still let the user > proceed to HTTPS. Isn’t the specific reason HSTS exists to prevent users > from proceeding? > > > > Here’s the server: http://pastebin.com/JFJw1m40 > > > > How is this possible? >
