We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Avatar for Username

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Lolu chungechunge lwabekwa kunqolobane. Uyacelwa ubuze umbuzo omusha uma udinga usizo.

The security tab in developer console shows HSTS as disabled whereas we see all the response header under "Headers" tab

  • 4 uphendule
  • 2 zinale nkinga
  • 7 views
  • Igcine ukuphendulwa ngu subodh.natu

subodh.natu
subodh.natu
more options

We recently implemented HSTS in our webapplication where using filter we send the HSTS headers back to browser. When we check any URL after logging in, we see the relevant HSTS response headers confirming that we have done the implementation correctly. But when we check the security tab, it shows "HSTS" as "Disabled".

How is browser determining that "HSTS" (HTTP Strict Transport Security) is disabled?

We recently implemented HSTS in our webapplication where using filter we send the HSTS headers back to browser. When we check any URL after logging in, we see the relevant HSTS response headers confirming that we have done the implementation correctly. But when we check the security tab, it shows "HSTS" as "Disabled". How is browser determining that "HSTS" (HTTP Strict Transport Security) is disabled?

All Replies (4)

cor-el
cor-el
  • Moderator
  • Top 10 Contributor
more options

If you have visited the website before then there might be a record in SiteSecurityServiceState.txt in the profile folder.

Can you post a link to a publicly accessible page (i.e. no authentication or signing on required)?

Can you attach a screenshot?

subodh.natu
subodh.natu Umnikazi wombuzo
more options

I have attached the screen shot for the Response headers from the "Headers" tab and the screen shot from "Security" tab which shows "HSTS" as disabled.

Unfortunately I cannot share the link for the application as it is within the internal network and not accessible from outside.

Okulungisiwe ngu subodh.natu

cor-el
cor-el
  • Moderator
  • Top 10 Contributor
more options

Did you check the SiteSecurityServiceState.txt file?

subodh.natu
subodh.natu Umnikazi wombuzo
more options

Yes I checked the "SiteSecurityServiceState.txt", it doesn't have that domain listed in the file.

I even created a new profile and accessed the site using the new profile, even then the domain doesn't show up in the new file.