mahara-contributors team mailing list archive

Thread
Date

[Bug 1875750] Re: Allow override of the HSTS setting if being set downstream

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Kristina Hoeppner <1875750@xxxxxxxxxxxxxxxxxx>
Date: Sun, 24 May 2020 20:52:51 -0000
Reply-to: Bug 1875750 <1875750@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

If NGinx sets HSTS headers as well, then you can turn the setting off in
Mahara:

Log in and go to Admin -> Configure site -> Site options -> Security
settings and set "HSTS override" to "Yes"

To verify things are working you should see in the headers
strict-transport-security: max-age=15768000

and not
strict-transport-security: max-age=63072000
strict-transport-security: max-age=15768000

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1875750

Title:
  Allow override of the HSTS setting if being set downstream

Status in Mahara:
  Fix Committed

Bug description:
  To avoid the Strict-Transport-Security header being set twice

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1875750/+subscriptions

References

[Bug 1875750] [NEW] Allow override of the HSTS setting if being set downstream
From: Robert Lyon, 2020-04-28