Allow override of the HSTS setting if being set downstream

Bug #1875750 reported by Robert Lyon on 2020-04-28
This bug affects 1 person
Affects Status Importance Assigned to Milestone

Bug Description

To avoid the Strict-Transport-Security header being set twice

Robert Lyon (robertl-9) on 2020-04-28
Changed in mahara:
milestone: none → 20.04rc2
importance: Undecided → Wishlist
status: New → In Progress
Robert Lyon (robertl-9) on 2020-04-28
Changed in mahara:
milestone: 20.04rc2 → 20.10.0

Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit 23301cfe58e4272c63ff42bdf4428baedc866a41
Author: Robert Lyon <email address hidden>
Date: Wed Apr 29 08:36:00 2020 +1200

Bug 1875750: Allow for HSTS override setting

In case the site already sets this value at the webserver level or
some other point downstream

Change-Id: I128d3b7f2b52bee330e91e66e6e066c3c7532578
Signed-off-by: Robert Lyon <email address hidden>

Robert Lyon (robertl-9) on 2020-05-20
Changed in mahara:
status: In Progress → Fix Committed
tags: added: nominatedfeature

If NGinx sets HSTS headers as well, then you can turn the setting off in Mahara:

Log in and go to Admin -> Configure site -> Site options -> Security settings and set "HSTS override" to "Yes"

To verify things are working you should see in the headers
strict-transport-security: max-age=15768000

and not
strict-transport-security: max-age=63072000
strict-transport-security: max-age=15768000

tags: added: newfeature
removed: nominatedfeature
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers