nginx - HSTS

Started by Oxima69, March 29, 2019, 09:27:07 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 29, 2019, 09:27:07 AM Last Edit: March 29, 2019, 10:36:42 AM by Oxima69
Hi,

Since version 1.8
QuoteHSTS not sent automatically anymore if HTTP over TLS is configured (still available via security header)

I guess there's a little problem here.

after activation via security header the nginx.conf has the following entry

Code Select
add_header Strict-Transport-Security "15768000" always;

max-age is missing ?

it should be

Code Select
add_header Strict-Transport-Security "max-age=15768000" always;

Or do I get something wrong......
March 29, 2019, 05:36:31 PM #1
that's a bug which I will fix
March 29, 2019, 05:59:27 PM #2
You can install the patch from here: https://github.com/opnsense/plugins/pull/1284/files

opnsense-patch -c plugins 7ed13346710a56ec504d114c102e34f7f4d35253
April 01, 2019, 09:52:37 AM #3
Great,
it works.
April 01, 2019, 09:59:25 AM #4
maybe in this context.
there is a little cosmetic error.

when activating the security headers.
you have 2 entries of

Code Select
proxy_hide_header Strict-Transport-Security;
April 01, 2019, 09:44:52 PM #5
use the same command with 26fff9cdd527988c2d147d81e1a8f1f3f02dcd54 and it should be gone.

https://github.com/opnsense/plugins/pull/1288/commits/26fff9cdd527988c2d147d81e1a8f1f3f02dcd54
April 02, 2019, 12:31:16 PM #6
Great,
it works.
April 02, 2019, 06:02:28 PM #7
Good to know that it works. Will be in the next release.
Print
Go Up Pages1
User actions