OPNsense Forum
English Forums => Development and Code Review => Topic started by: Oxima69 on March 29, 2019, 09:27:07 am
-
Hi,
Since version 1.8
HSTS not sent automatically anymore if HTTP over TLS is configured (still available via security header)
I guess there's a little problem here.
after activation via security header the nginx.conf has the following entry
add_header Strict-Transport-Security "15768000" always;
max-age is missing ?
it should be
add_header Strict-Transport-Security "max-age=15768000" always;
Or do I get something wrong......
-
that's a bug which I will fix
-
You can install the patch from here: https://github.com/opnsense/plugins/pull/1284/files
opnsense-patch -c plugins 7ed13346710a56ec504d114c102e34f7f4d35253
-
Great,
it works.
-
maybe in this context.
there is a little cosmetic error.
when activating the security headers.
you have 2 entries of
proxy_hide_header Strict-Transport-Security;
-
use the same command with 26fff9cdd527988c2d147d81e1a8f1f3f02dcd54 and it should be gone.
https://github.com/opnsense/plugins/pull/1288/commits/26fff9cdd527988c2d147d81e1a8f1f3f02dcd54
-
Great,
it works.
-
Good to know that it works. Will be in the next release.