Random redirect behaviour and HSTS preload -- error: (HTTP) should immediately redirect to (HTTPS)

Hello,

I am trying to submit my site (https://ari-web.xyz/ (https://ari-web.netlify.app)) to the HSTS submission list, and sometimes I get this error:

Error: HTTP redirects to www first `http://ari-web.xyz` (HTTP) should immediately redirect to `https://ari-web.xyz` (HTTPS) before adding the www subdomain. Right now, the first redirect is to `https://www.ari-web.xyz/`. The extra redirect is required to ensure that any browser which supports HSTS will record the HSTS entry for the top level domain, not just the subdomain.

But sometimes it just works… I am confused why or how:

Status: ari-web.xyz is pending submission to the preload list.

By chanse if you try enough times you will get red,
is it an issue with my redirects and stuff? …

I’m just like really confused, some people get green, some red, I get both, just a whole mess, why is that, can I somehow fix it?

HSTS preload url: HSTS Preload List Submission

I only submitted it few days ago, but I only started getting weird errors today

Thanks for any help

Update (1)

Even after playing around in dev tools I can see the random behaviour, sometimes I get a direct redirect to www subdomain over https, sometimes I get redirected to https (top level) then https (www), very confusing, my dns seems fine, is it maybe netlify’s fault? not sure

Update (2)

Forgot to link the source code: GitHub - TruncatedDinosour/website: Ari-web source code (previously ari['s] web[site])

1 Like

Hey @B00bleaTea

You are wishing to use ari-web.xyz as the primary/default domain, not www.ari-web.xyz? Currently www.ari-web.xyz is configured as the primary domain. You can change this behaviour in the Custom Domains section of the UI

1 Like

Hi @coelmay

Nope,

I fully understand this, but the issue is that
it randomly redirects, I always want it to be:

http://ari-web.xyz/https://ari-web.xyz/https://www.ari-web.xyz/

while it is most of the time like that, sometimes this happens:

http://ari-web.xyz/https://www.ari-web.xyz/

And as redirection to https://ari-web.xyz/ is necessary for HSTS I cannot make it stable… how would I make it, well, stable and follow http → https → https (www)

1 Like

If you can produce this, please provide the x-nf-request-id for this in or that Netlify can investigate. My understanding is this is not correct behaviour.

1 Like

@coelmay Surely, will reply as soon as I can

@coelmay I am having trouble reproducing it in the browser,
I can only really reproduce it in the HSTS Preload List Submission website, which does not show any headers… only red and it’s quite random, though I have reproduced it before, any way to get back the request which I have reproduced the bug or whatever it may be? it should be there as in the making of this thread I did reproduce it

Given the sheer number of requests Netlify would see in a day, it is likely near impossible (very time-consuming at least) to find a specific request based on an error message. That’s why the x-nf-request-id is required for troubleshoot purposes.

Another question is how many times you have tried submitting your site? You say sometimes you get green, sometimes red (with error) suggesting you are doing it multiple times. There is only a need to do it once is there not?

Not sure,

The red happens randomly, I tried checking the status of the site (submitting) at least like 10 times to try to reproduce it, but usually like 1 is enough, it’s completely random and more frequent at times

for now at least, it seems good, tried doing it multiple times with no error, will try to debug and stuff, if I manage to get hold of the ID I will send it to you

sorry forgot to update,
everything was okay after I reported this,
I got into HSTS preload list and all that fine :slight_smile:

I’m facing the same problem. When I do curl -I http://material-ui.com/ it redirects directly to https://mui.com/core/ without doing a hop to https://material-ui.com/ first. I have the following in my _redirects configuration:

http://material-ui.com/* https://material-ui.com/:splat 301!
https://material-ui.com/ https://mui.com/core/ 301!
https://material-ui.com/* https://mui.com/:splat 301!

An example: X-Nf-Request-Id: 01GDR3V2SC77297JD6EJWAC2GV. It’s red HSTS Preload List Submission

1 Like

Heyo,

You should be fine actually, dw about it,
I got into the HSTS preload list fine :smiley:

Update: It’s netlify

CORS on both www and root level domain on certain routes this might be related too

For folks who return to this thread, we’ve filed an escalation for the devs to look at and we’d update the thread as we have more info.

1 Like

Very nice, the devs have a lot of work
to do because of me now xD i feel sorry for
them ngl, thank you though :slight_smile:

Hey folks!

This is something we have very recently fixed as part of this bugfix: Improvements to TLS and primary domain redirects for non-static assets

The change is slowly rolling out and only applies to Starter & Pro customers right now. It will soon roll to all customers.

I confirmed that for @B00bleaTea both the root and the www variant have the correct TLS redirect behaviour now.

@oliviertassinari it looks like you’re on a higher plan, so i opted in your site explicitly and it seems to behave correctly now.

3 Likes