Estou configurando um servidor da web e estou verificando o SSLLabs e o Chrome 31 para garantir que a segurança seja adequada. No entanto, nem o Chrome nem o SSLLabs parecem acreditar que a segurança de transporte rigorosa está habilitada para o domínio. Eu não consigo descobrir o porquê. Abaixo estão os cabeçalhos de resposta do curl ao acessar o site.
$curl -I ********.com
HTTP/1.1 301 Moved Permanently
Server: Apache
Date: Sat, 14 Dec 2013 22:58:27 GMT
Location: https://********.com/
Content-Type: text/html; charset=iso-8859-1
$curl -kI https://********.com
HTTP/1.1 200 OK
Server: Apache
Date: Sat, 14 Dec 2013 22:59:26 GMT
Last-Modified: Mon, 09 Dec 2013 04:58:41 GMT
ETag: "422-4ed12d98c43d3"
Accept-Ranges: bytes
Content-Length: 1058
Vary: Accept-Encoding
Strict-Transport-Security: max-age=16070400; includeSubDomains
Content-Type: text/html
Meu Apache Config, conforme relatado por mod_info
Module Name: mod_headers.c
Content handlers: none
Configuration Phase Participation: Create Directory Config, Merge Directory Configs
Request Phase Participation: Post-Read Request, Fixups, Insert Filters, Insert Errors
Module Directives:
Header - an optional condition, an action, header and value followed by optional env clause
RequestHeader - an action, header and value followed by optional env clause
Current Configuration:
In file: /etc/apache2/sites-enabled/100-********-ssl.conf
2: <VirtualHost _default_:443>
30: Header set Strict-Transport-Security "max-age=16070400; includeSubDomains"
: </VirtualHost>