php - HSTS header is not seen in image /JS/CSS files
Get the solution ↓↓↓
I have added the following line in my .htaccess file to set the HSTS header
Header always set Strict-Transport-Security "max-age=63072000;includeSubDomains;"
To test the HSTS header, I have done the below steps:
- Access the application in the chrome browser
- Open the developer tool and check the HSTS header in the Response headers
The first time when I access the application and verified it in the developer tool, I could see the HSTS header in all the PHP files, image files, CSS files, and JS files. Again when I load the application, I could see images, CSS, and JS files are loaded from the memory/disk cache and these files are missing the HSTS header in response headers. However, PHP files still shows the HSTS header in the reponse headers.
Missing HSTS header in the resource files(image/CSS/JS files) is accepted? OR It is considered as security hole? If so how can I fix this?
Thank you in advance
Answer
Solution:
The idea behind an HSTS header is that content is always downloaded over an encrypted connection.
Once the files are downloaded and put in your memory/disk cache they are no longer encrypted.
When your browser gets the files from memory/disk cache they also don't need to be downloaded over any connection. The memory/disk cache is a trusted resource. That's why the HSTS header is not needed.
Share solution ↓
Additional Information:
Link To Answer People are also looking for solutions of the problem: composer detected issues in your platform: your composer dependencies require a php version ">= 7.3.0".
Didn't find the answer?
Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.
Similar questions
Find the answer in similar questions on our website.
Write quick answer
Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.