Skip to content
← CMS (Content Management System)

Welcome! 👋

'Enable HSTS on the root domain' has been merged into this idea

CMS (Content Management System): DXP

Categories

JUMP TO ANOTHER FORUM

(thinking…)

HSTS on the root domain

We are experiencing some redirection issues we have no control over as they are done in the root domain.

http://oldsite.com redirects to https://www.oldsite.com then finally to https://www.newsite.com

The redirection should be as follows:

http://oldsite.com -> https://oldsite.com -> https://www.newsite.com

Please update Optimzely’s configuration to do these redirects properly

2 votes
Pika Remskar shared this idea  ·   ·  Report…  ·  Admin →
How important is this to you?

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Submitting...
An error occurred while saving the comment
  • Kristoffer Palm commented  ·   ·  Report

    The DXP redirect service (used for redirecting apex domains like example.com to www.example.com) does not return an HSTS header. Because this response comes from Optimizely’s infrastructure, we cannot configure or enforce Strict-Transport-Security on our root domain.

    As a result, the apex domain remains accessible over HTTP, which exposes end users to potential downgrade attacks on first visit and prevents use of includeSubDomains; preload on the main domain.

    To support full HTTPS enforcement and align with modern security standards, we request tenant-level support for HSTS headers on redirect domains.