Staff & Editor

Technical Tip: HSTS header insert in HTTP 302 response by URL rewriting module

Forum|Forum|11 months ago
June 5, 2025
0 replies
425 views

Description

This article describes behavior of no HSTS header insert in HTTP 302 response header when redirect action in URL rewriting is applied in Web Protection Profile.

Scope

FortiWeb, FortiWeb-VM.

Solution

Symptom:

User visits http://example.com and is redirected to https://example.com - HTTP 301: HTTP-HTTPS redirection enabled in server policy configuration.
User is redirected from https://example.com to https://example.com/someappname - HTTP 302:

There is no Strict-Transport-Security header returned.
HTTP location redirection is configured in a URL rewriting rule.

User loads https://example.com/someappname - HTTP 200:

Strict-Transport-Security header returned in FortiWeb response.
Strict-Transport-Security header inserted based on server policy, advanced SSL settings: Technical Tip: Enable and verify the HSTS header response feature in FortiWeb

HSTS-not-insert_in_HTTP302_-_FWB_7.4.8.png

The HSTS header insertion is not supported with the HTTP 302 return code by FortiWeb v7.6.0 and earlier releases.

Fix:
Upgrade to v7.6.1 or a later version.

FortiWeb v7.6.3:

HSTS-insert_in_HTTP302_-_FWB_7.6.3.png

Strict-Transport-Security header responded with a HTTP 302 redirection. Example: HTTP-to-HTTPS redirect: Rewriting & redirecting

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded