mahara-contributors team mailing list archive

[Lisa Seeto <1875750@xxxxxxxxxxxxxxxxxx>]

The associated WR333970 has the following update from Robert:

Ok, I've spoken with John Morton and now I understand what is happening

So I thought the issue was fixed because I was using a firefox browser
and it was only showing the first Strict-Transport-Security header (the
one set by Mahara) but once I used the chromium browser I could see both
HSTS headers being set. The one staring with 630 is Mahara's one and the
one starting with 157 is the Nginx one.

So yep we need to cherry-pick the https://reviews.mahara.org/#/c/10941/
patch to those sites listed (I've done/tested this out on catalyst
showcase already).

And once deployed out we need to login and go to Admin -> Configure site
-> Site options -> Security settings and set "HSTS override" to "Yes"

To verify things are working you should see in the headers
strict-transport-security: max-age=15768000

and not
strict-transport-security: max-age=63072000
strict-transport-security: max-age=15768000

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1875750

Title:
  Allow override of the HSTS setting if being set downstream

Status in Mahara:
  Fix Committed

Bug description:
  To avoid the Strict-Transport-Security header being set twice

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1875750/+subscriptions