Settings and activity

1 result found

1. HSTS on the root domain

   6 votes

   Vote Vote Vote

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Vote

   We’ll send you updates on this idea

   Gathering Feedback  ·  1 comment  ·  CMS PaaS (Content Management System) » Hosting & Infrastructure  ·  Delete…  ·  Admin →
   How important is this to you?

   Nice to have You must login first! Important You must login first! Critical You must login first!

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Submit Rating
   An error occurred while saving the comment
   Kristoffer Palm commented  ·  Apr 15, 2025  ·  Edit…  ·  Delete…

   The DXP redirect service (used for redirecting apex domains like example.com to www.example.com) does not return an HSTS header. Because this response comes from Optimizely’s infrastructure, we cannot configure or enforce Strict-Transport-Security on our root domain.

   As a result, the apex domain remains accessible over HTTP, which exposes end users to potential downgrade attacks on first visit and prevents use of includeSubDomains; preload on the main domain.

   To support full HTTPS enforcement and align with modern security standards, we request tenant-level support for HSTS headers on redirect domains.

   Save Submitting...
   Kristoffer Palm supported this idea  ·  Apr 15, 2025