ManageIQ
How does ManageIQ handles HSTS? #21911
Replies: 2 comments 2 replies
-
|
I'm not sure we do, because from what I understand this is more of a domain thing, and ManageIQ doesn't actually control the domain it's deployed from? Perhaps I'm misunderstand what HSTS does. That being said, all of our SSL stuff lives in the httpd configuration here (for appliances) and here (for podified). We don't use Rails for SSL, so that's why the Rails setting is disabled. @kbrock Do you know? |
Beta Was this translation helpful? Give feedback.
-
|
My understanding is this is a header that can be set in the apache config combined with redirecting all non-443 traffic to https. We already do the latter (https://github.com/ManageIQ/manageiq-appliance/blob/master/COPY/etc/httpd/conf.d/manageiq-http.conf#L11-L16) |
Beta Was this translation helpful? Give feedback.
-
|
The user should, or should we come out of the box with that in our apache config? I wonder if we'd also have to do that in the "hidden" apaches in the UI pods. |
Beta Was this translation helpful? Give feedback.
-
Well if they want to enable HSTS before the next release the user would have to enable this manually. I don't know if there are any downsides to enabling this but I think turning it on for our appliance would be a good idea. Since the user doesn't hit apache on the pod directly I don't think enabling it on podified apache config would help. They would have to enable it on the openshift route per https://docs.openshift.com/container-platform/4.8/networking/routes/route-configuration.html#nw-enabling-hsts_route-configuration |
Beta Was this translation helpful? Give feedback.
-
How does ManageIQ handles HSTS? I couldn't find any reference to it in any place, even the official documentation.
About HSTS (HTTP Strict Transport Security):
https://datatracker.ietf.org/doc/html/rfc6797
https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
Beta Was this translation helpful? Give feedback.
All reactions