Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove includeSubdomains from HSTS header #111

Merged
merged 1 commit into from
Mar 4, 2015
Merged

Remove includeSubdomains from HSTS header #111

merged 1 commit into from
Mar 4, 2015

Conversation

jwilder
Copy link
Collaborator

@jwilder jwilder commented Feb 28, 2015

includeSubdomains can lead to issues where not all subdomains are
able to use HTTPS. This options might be too strict for the general
case: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security.
It can be re-enabled w/ a custom template if needed.

Fixes #109

@jwilder
Remove includeSubdomains from HSTS header
4a99ac5 
includeSubdomains can lead to issues where not all subdomains are
able to use HTTPS.  This options might be too strict for the general
case: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security.
It can be re-enabled w/ a custom template if needed.

Fixes #109
@md5
Copy link
Contributor

md5 commented Mar 2, 2015

I'd possibly remove STS entirely from the default configuration and document how to add it back on a per-VIRTUAL_HOST basis.

Otherwise, this change LGTM

jwilder added a commit that referenced this pull request Mar 4, 2015
@jwilder
Merge pull request #111 from jwilder/jw-hsts
f03c080 
Remove includeSubdomains from HSTS header
@jwilder jwilder merged commit f03c080 into master Mar 4, 2015
@jwilder jwilder deleted the jw-hsts branch March 4, 2015 21:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

remove includeSubdomains
2 participants
@jwilder @md5