enable HSTS #11931
enable HSTS #11931
Conversation
according to Nginx' documentation http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header add_header settings are inherited to deeper nested server or location blocks only if these deeper blocks do not contain their own add_header statements. In our case the relevant block has indeed its own add_header statements. Thus the HSTS settings from Nginx' main configuration file are not inherited and need to be reproduced.
|
@wolegis Thank you! But could you please sign off your commit? ( |
There was a problem hiding this comment.
The HSTS header config is now included twice. I see no difference between both versions and HSTS should not be enabled by default in my opinion. Enabling it has severe implications and should be considered thoroughly.
See the whole block:
# HSTS settings
# although already present in main configuration file this must be reproduced here
# (see http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header)
add_header Strict-Transport-Security "max-age=15768000" always;
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
The two IMHO, HSTS in itself is desirable. The problematic part is |
Signed-off-by: wolegis <[email protected]>
|
I've improved the comments (and additionally signed off the latest commit). |
|
Hello there, We hope that the review process is going smooth and is helpful for you. We want to ensure your pull request is reviewed to your satisfaction. If you have a moment, our community management team would very much appreciate your feedback on your experience with this PR review process. Your feedback is valuable to us as we continuously strive to improve our community developer experience. Please take a moment to complete our short survey by clicking on the following link: https://cloud.nextcloud.com/apps/forms/s/i9Ago4EQRZ7TWxjfmeEpPkf6 Thank you for contributing to Nextcloud and we hope to hear from you soon! (If you believe you should not receive this message, you can add yourself to the blocklist.) |
according to Nginx' documentation
add_headersettings are inherited to deeper nested server or location blocks only if these deeper blocks do not contain their ownadd_headerstatements. In our case the relevant block has indeed its ownadd_headerstatements. Thus the HSTS settings from Nginx' main configuration file are not inherited and need to be reproduced.