In my project, HSTS is enabled. So if someone is tryig to use the site using the HTTP then it redirects to HTTPS.

After the Security scan, it is reported that ttf, woff and woff2 files are ignoring the HSTS.

Example 1:

On Google Crome if i am trying below URL then it redirects to HTTPS:

http://example.com/backend/web/lib/roboto/Roboto-Light.woff2 then it

redirects to

https://example.com/backend/web/lib/roboto/Roboto-Light.woff2

If i try same thing on Firefox then it just downloads the Roboto-Light.woff2 file over HTTP instead of redirecting to HTTPS.

Example 2:

If i am trying below URL on both google Chrome and Firefox it just downloads the file.

http://example.com/backend/web/lib/roboto/Roboto-Black.ttf

So what should i do to fix this issue?

Update

Network log after accessing the below URL:

http://example.com/backend/web/lib/roboto/Roboto-Black.ttf

It seems that first file is being loaded by visiting the HTTP URL. But the https one not being updated in Address Bar of browser but not sure.

VHOST Settings

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html
    ServerName example.com

    RewriteEngine on
    RewriteCond %{HTTP:X-Forwarded-Proto} ^http$
    RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    #RewriteCond %{HTTPS} !=on
    #RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
    RewriteRule .* - [F]

    Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

You need to go back and ask the security scan people why they think this is the case.

You are clearly showing that HSTS is being set for the font files. You area also showing that you are correctly showing the 307 internal redirect for HSTS reasons.

This is the way it's supposed to work. You get two requests in Chrome's network tab (other browsers may be different):

1. A fake 307 response which upgrades the request from HTTP to HTTPS. This is created by the browser and the HTTP request never reaches the server. Hence why I am calling it a "fake" resonse.
2. The real request sent over HTTPS.

As fonts are downloaded it's difficult to tell that this was downloaded over HTTPS except by looking in the network tab - but that's fine.

If i try same thing on Firefox then it just downloads the Roboto-Light.woff2 file over HTTP instead of redirecting to HTTPS.

How do you know this? Are you sure you have visited the site over HTTPS to get the HSTS header? The first request may well be over HTTP (though you have a standard redirect in place so this should redirect to HTTPS and then download), but after that it should auto redirect BEFORE the request is sent.

If i am trying below URL on both google Chrome and Firefox it just downloads the file.

It probably does. But after a redirect.

It seems that first file is being loaded by visiting the HTTP URL. But the https one not being updated in Address Bar of browser but not sure.

No, as discussed the first one is a dummy request. The second is the real request which is actually sent to the browser. As the font file is downloaded immediately it doesn't do anything with the URL bar.