One problem to be aware of when using HTTPS HSTs

HSTS (http Strict Transport Security) simply means that the browser is redirecting HTTP to HTTPS. If you do not use HSTs, when users enter URLs in the browser without HTTPS, the browser will use HTTP access by default, so for HTTPS sites, HTTP to https redirection is usually done on the server side. If you use HSTs, you can reduce the redirection on the server side.

When we deployed HTTPS, we discovered the usefulness of hsts and immediately used it, using it very simply-adding strict-transport-security:max-age=31536000 to the response header .

But then we found a problem when we visited our HTTPS site via WiFi in Starbucks. After entering the URL in the browser, there is no sign-in page for Starbucks WiFi, but the browser considers this to be an unsecured connection, does not allow access, only accesses an HTTP site, the Starbucks WiFi login page appears, and completes the login to access our HTTPS site.

The reason behind is very simple, because our site is enabled HSTs, the browser by default, the request by HTTPS, Starbucks WiFi intercept request, in the form of HTTP return to the WiFi login page, the browser received after a look at this unsafe, immediately stop the connection. If you do not enable HSTs and redirect on the server side, you will not have this problem.

This is the problem with Wi-Fi-based authentication, so it is important to consider whether to enable hsts when deploying HTTPS. If you originally enabled HSTs, now want to cancel, you can not directly remove the strict-transport-security response header, but instead to strict-transport-security:max-age=0, Otherwise, the browser that used the HSTs will always use hsts before it expires.

One problem to be aware of when using HTTPS HSTs