Allow more configuration of HTTP headers (or just remove them) #31
Comments
|
Now moved to keyserver/src/app/middleware.js Line 34 in d14b0dc But yes, HSTS should either be it’s own config variable. This variable could be defaultly on and only sent when the variable is on and upgrade to https is on. There are several reasons you don’t want HSTS. Thus this should be configurable. |
|
HSTS is now controlled with the environment variable HTTP_SECURITY_HEADER and off by default. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://github.com/mailvelope/keyserver/blob/master/src/app.js#L68
Currently keyserver adds a bunch of headers which are not really it's place to manage, especially if it's running behind a reverse proxy, which appears to be the intended scenario anyways.
For example, the current keyserver does not support serving HTTPS itself and yet it is setting HSTS and HPKP. IMO these should be handled by the reverse proxy. Any headers keyserver sets should be considered only for the [keyserver <-> reverse proxy] connection.
The text was updated successfully, but these errors were encountered: