How to Fix Warning: Unnecessary HSTS header over HTTP in htstpreload.org

When you’re trying to include your domain to Google Chrome’s HTTP Strict Transport Security (HSTS) preload list, you’ll get an error message that says “Warning: Unnecessary HSTS header over HTTP”. Based on the error message, basically it says that your HTTP connection is also sending an HSTS header in which it should not.

Here is the full error message:

Status: yourdomain.com is pending submission to the preload list.

However, it still has the following issues, which we recommend fixing:

Warning: Unnecessary HSTS header over HTTP
The HTTP page at http://yourdomain.com sends an HSTS header. This has no effect over HTTP, and should be removed.

Table of Contents

1. For NGINX
2. For Apache
3. Done

To fixed this error message, you have to remove the HSTS header message from the HTTP connection and move it only to HTTPS.

For NGINX

If you place the Strict-Transport-Security in the http{…} blocks at the NGINX configuration files, you need to move it on server{…} blocks.

For example, in your /etc/nginx/nginx.conf. You just have to remove the Strict-Transport-Security header or comment out the line.

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

    #YOUR_OTHER_CODE .....
}

Then at your server{…} blocks that contain the line of listen 443 ssl http2, this is the block you only place the Strict-Transport-Security header in which the directives on serving https for your website. For example at /etc/nginx/sites-available/yourdomain.com.

server{

    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    root /var/www/codefaq.org;

    index index.php index.html index.html index.nginx-debian.html;

    server_name codefaq.org www.codefaq.org;

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

    #YOUR_OTHER_CODE .....
}

Save the file and restart your Nginx.

sudo service nginx restart

For Apache

Similar to NGINX, just move the Strict-Transport-Security header to VirtualHost *:443 instead of placing it outside the 443 config.

For example, originally, your configuration is similar below.

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
<VirtualHost *:443>
    #YOUR_OTHER_CODE ......
</VirtualHost>

You need to move the code inside the *.443 config.

<VirtualHost *:443>
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    #YOUR_OTHER_CODE ......
</VirtualHost>

Done!

After fixing the above instructions, go back to https://hstspreload.org and check your website. The error should now be gone.

To check if your website is already in Google Chrome Package. Visit chrome://net-internals/#hsts and input your website.