New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
There should be a way to set HSTS headers #1329
Comments
Oddly enough, the RFC mentions only two directives, We usually have a TLS terminator in front of Zotonic, in which case mod_ssl is not enabled. So either we add this to a separate module (other than mod_ssl) or we document that when a TLS terminator is used, setting the |
I am redoing |
BTW I will need a way to see if the request originated via SSL or not. Is there any information added in haproxy (or other SSL terminators) to derive this? |
RFC7239 defines such a thing. |
Exactly: what used to be
The |
Merge the changes in #2297 into master |
It would be incredibly nice for TLS-enabled Zotonic websites to be able to set an HSTS (HTTP Strict-Transport-Security) headers.
The header should have a configurable max age and allow configuring other directives (such as includeSubDomains and preload) as required. If enabled, it should be included on every response served over HTTPS (taking into account possible TLS-offloading proxies.)
See also https://tools.ietf.org/html/rfc6797.
The text was updated successfully, but these errors were encountered: