While configuring your web server, you may have the ability to enable HTTP Strict Transport Security (HSTS). This is a security enhancement that is specified by your web application through the use of a specific response header. Once enabled, the browser receives this information and prevents any communication from being sent over HTTP, forcing all communication to be sent over HTTPS.
When HSTS is initially configured, oftentimes it is set up to include subdomains. If this setting is enabled, it requires the subdomains to be encrypted. When setting up your branding settings, Listrak requests non-HTTPS subdomains to be configured for the branded media subdomain. Listrak hosts an SSL certification for the Domain Alias subdomain to allow HTTPS, but currently the Media Domain does not support HTTPS. The Media Domain typically looks like this:
If HSTS is enabled on subdomains, it will include HTTPS as the protocol instead of HTTP, which results in an error in your List Settings and when sending a message. Below is an example of this error message:
REMOVING YOUR HSTS ON SUBDOMAINS
You can prevent HSTS from being enforced on subdomains by following the below steps.
- Remove the includeSubdomains directive from the HSTS header on the root of your website.
An example with includeSubDomains might look like this:
Strict-Transport-Security: max-age=31536000; includeSubDomains
After removing includeSubDomains it should look like this:
DISABLE THE MEDIA DOMAIN
You can also disable the branded media subdomain in the List Settings. Please keep in mind that this will cause images in the media library to have a URL that looks like http://media.lt02.net:
- Navigate from the home menu to Manage.
- Go to Lists.
- Then List Settings.
- Navigate to the Branding Section.
- Select I do not have a Media Domain for the Media Domain options.
- Click Save.
For additional resources on the includeSubDomains directive, you can see the RFC for HSTS here.