Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

quickstart: disable HSTS headers for self-signed certificates #3741

Closed
calebdoxsey opened this issue Nov 10, 2022 · 0 comments · Fixed by #3743
Closed

quickstart: disable HSTS headers for self-signed certificates #3741

calebdoxsey opened this issue Nov 10, 2022 · 0 comments · Fixed by #3743

Comments

@calebdoxsey
Copy link
Contributor

Is your feature request related to a problem? Please describe.

We add these headers automatically to responses:

		"X-Frame-Options":           "SAMEORIGIN",
		"X-XSS-Protection":          "1; mode=block",
		"Strict-Transport-Security": "max-age=31536000; includeSubDomains; preload",

These make sense for valid certificates, but they are very annoying for invalid certificates, because we may end up pinning a generated self-signed certificate and the user has to manually clear the cache.

Describe the solution you'd like

We should only add these headers (by default) for routes with valid certificates.

Describe alternatives you've considered

Explain any additional use-cases

If there are any use-cases that would help us understand the use/need/value please share them as they can help us decide on acceptance and prioritization.

Additional context

Add any other context or screenshots about the feature request here.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

config: disable Strict-Transport-Security when using a self-signed certificate pomerium/pomerium
1 participant
@calebdoxsey