[ad_1]
Hi Jason, thanks for downloading the Headers Security Advanced & HSTS WP plugin, I am glad you like the plugin.
I am Andrea and I will help you with your issue as quickly as possible, below I will answer your questions:
1) I did a check with hstspreload and I confirm you that I found an issue with the domain scan “penchecks.com”.
response: Error: No HSTS headerResponse error: No HSTS header is present on the response.
2) I confirm you that with the Geekflare tool the HSTS directive for preloading in the list of broswers is recognized.
This is the link where I performed the test (identical to yours):
response: great! HSTS header was found in the HTTP response headers as highlight below.
** I ask if you can confirm that the installed version of the plugin is version number 5.0.04? Is your provider forcing the use of HSTS?
I also found the error you are experiencing with HSTS Preload. Basically the preload is not performed because the declared directive is invalid (strict-transport-security: max-age=31536000).
This is very strange because the Headers Security Advanced & HSTS WP plugin uses that directive for preloading to be more precise the plugin uses (Strict-Transport-Security: max-age=63072000; includeSubDomains; preload).
Don’t worry now we solve everything together in no time 😀
TROUBLESHOOTING RESOLUTION:
a) Deactivate the plugin and delete it, once effected this try to reinstall the plugin and save permalinks for safety.
b) If option A had no effect try to confirm that in your .htaccess file you can find the following # Headers Security Advanced & HSTS WP – 5.0.04 and tell me the directive you see with the following name “Strict-Transport-Security”.
I will also leave you the email to get in touch with me even faster [email protected]
greetings, thank you for the quick response, greatly appreciated!
i followed your suggestions and while at first i was still seeing the odd number you pointed out, i ran it against some client sites also using your plugin and they call came back as you pointed out, so it was definitely something about this particular client, even though they are all even using the same web host.
somewhere an old plugin or something must have been overriding your plugin settings, i turned off some other ‘security’ plugins that seemed to have some overlap, xframe options and the like and voila, i no longer get that error!
and can see the subdomain, correct max age etc.
thank you for pointing me in the right direction!