Search Engine: Elastic

Article ID: 122506, created on Jul 29, 2014, last review on Aug 4, 2014

  • Applies to:
  • Operations Automation 5.5
  • Operations Automation 5.4


A website cannot be opened in a browser - it gets redirected from HTTP to HTTPS and fails to load.


Redirection rules are set in a webserver configuration file or the code in the index file is calling itself with HTTPS.


It could be a subdomain created for a branded domain after an upgrade to Parallels Operations Automation (POA) 5.5.

The "Strict-Transport-Security" header was added to branding_htaccess.tmpl in the scope of MITM vulnerability improvement in POA 5.5

You can check this under the webspace of the brand:

# grep includeSubDomains /usr/local/pem/vhosts/100002/webspace/httpsdocs/.branding_htaccess
header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

"Strict-Transport-Security" is an additional security enhancement that forces browsers to redirect all HTTP requests to HTTPS, including subdomains when "includeSubDomains" is defined.

This can also affect a Sitebuilder if the access URL is a subdomain of the brand: gets redirected to

As a result, customers cannot access their sites through the Customer Control Panel > "Edit in Parallels Plesk Sitebuilder", as HTTPS access is not configured for Sitebuilder sites.

  • In some cases, you can reproduce the issue by opening in a browser at least once (otherwise redirection will not occur for subdomains).

This issue is confirmed as a software-related issue with the ID POA-82508


Correct the redirection in the webserver configuration files or the code of the file accessed by the website.

For subdomains of a branded domain: Issue #POA-82508 has been fixed in POA 5.5 update 6

ac82ce33439a9c1feec4ff4f2f638899 caea8340e2d186a540518d08602aa065 5356b422f65bdad1c3e9edca5d74a1ae 2554725ed606193dd9bbce21365bed4e 5b048d9bddf8048a00aba7e0bdadef37 e12cea1d47a3125d335d68e6d4e15e07

Email subscription for changes to this article
Save as PDF