Allow override of the HSTS setting if being set downstream

Bug #1875750 reported by Robert Lyon
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
Wishlist
Unassigned

Bug Description

To avoid the Strict-Transport-Security header being set twice

Tags: newfeature
Robert Lyon (robertl-9)
Changed in mahara:
milestone: none → 20.04rc2
importance: Undecided → Wishlist
status: New → In Progress
Revision history for this message
Mahara Bot (dev-mahara) wrote : A patch has been submitted for review

Patch for "master" branch: https://reviews.mahara.org/10941

Robert Lyon (robertl-9)
Changed in mahara:
milestone: 20.04rc2 → 20.10.0
Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/10941
Committed: https://git.mahara.org/mahara/mahara/commit/23301cfe58e4272c63ff42bdf4428baedc866a41
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit 23301cfe58e4272c63ff42bdf4428baedc866a41
Author: Robert Lyon <email address hidden>
Date: Wed Apr 29 08:36:00 2020 +1200

Bug 1875750: Allow for HSTS override setting

In case the site already sets this value at the webserver level or
some other point downstream

Change-Id: I128d3b7f2b52bee330e91e66e6e066c3c7532578
Signed-off-by: Robert Lyon <email address hidden>

Robert Lyon (robertl-9)
Changed in mahara:
status: In Progress → Fix Committed
tags: added: nominatedfeature
Revision history for this message
Kristina Hoeppner (kris-hoeppner) wrote :

If NGinx sets HSTS headers as well, then you can turn the setting off in Mahara:

Log in and go to Admin -> Configure site -> Site options -> Security settings and set "HSTS override" to "Yes"

To verify things are working you should see in the headers
strict-transport-security: max-age=15768000

and not
strict-transport-security: max-age=63072000
strict-transport-security: max-age=15768000

tags: added: newfeature
removed: nominatedfeature
Robert Lyon (robertl-9)
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers