Scanner seems to fail to detect HSTS header during HTTPS-to-HTTPS redirect (Root to WWW)

[luisabreu]

The hstspreload.org scanner incorrectly reports "No HSTS header" for the root domain when the header is provided on a 301 redirect from https://madeira.gov.pt to https://www.madeira.gov.pt (not allowing me to add the site to the preload list).

If the header is added to the initial http:// response, the scanner allows me to add the site to the preload list, but it will also throw a warning (rightly so) that HSTS should not be on HTTP.

Evidence (Curl Trace from curl -LI http://madeira.gov.pt):

HTTP/1.1 301 Moved Permanently
Location: https://madeira.gov.pt/


HTTP/1.1 301 Moved Permanently
Location: https://www.madeira.gov.pt/
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Redirect-Reason: Wrong Portal Alias Requested
Final Destination (HSTS Present):

HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

To add the domain back to the HSTS preload list, I had to update the current configuration so that the HSTS header is also returned on the initial HTTP response during the redirect from http://madeira.gov.pt to https://madeira.gov.pt (which, as I've said, now triggers a warning).

Our original setup (see the curl snippets above) has been in place for years, and I’m fairly certain it previously met the requirements for inclusion in the preload list. We only discovered this issue recently while doing a routine check of the site’s HSTS status.

Is this a bug on the scanner or am I missing something?

[lgarron]

Hmm, I took a look at the code and don't see why this would be happening. Any chance you can create a repro of this on another domain using the same configuration, so we can look into it?