Comment 4 for bug 1531987

Aaron Wells (u-aaronw) wrote :

On further reflection, I decided not to include the "Strict-Transport-Security" header in Mahara core. It has too much potential to cause problems for site admins. If one of them did want to serve HTTP & HTTPS content off the same domain (i.e. https://example.com/mahara & http://example.com/insecure/) they probably wouldn't notice this setting until after it was causing problems, and once they reached that point, there would be no easy way to roll back the problem. See http://stackoverflow.com/questions/10629397/how-to-disable-http-strict-transport-security

The only way to revert Strict-Transport-Security (ie. HSTS) once it has been sent out, is:

1. Wait out the max-age period
2. Have *all* your site users clear their individual browser caches
3. Have the HTTPS version of your site serve a Strict-Transport-Security page with max-age:0. (But, you have to keep this up until *all* affected visitors have been served a copy of it.)

Of course, this difficulty in reversing it is by design. That's the whole point of this setting!

But for us, because this setting will cause nearly irreversible problems for the few sites where it is not appropriate, it would be irresponsible of us to turn it on automatically.