alanorth/ansible-personal
1
0
Fork 0
Code Issues 4 Pull Requests Projects Releases Wiki Activity

Fix HTTP Strict Transport Security header #7

New Issue
Closed
opened 2015-03-18 11:49:13 +01:00 by alanorth · 2 comments
alanorth commented 2015-03-18 11:49:13 +01:00 (Migrated from github.com)
Copy Link

For some reason it's not getting set when I include it with the other SSL stuff... if I move it next to the add_header in the PHP block it works. Must be some order thing...

For some reason it's not getting set when I include it with the other SSL stuff... if I move it next to the `add_header` in the PHP block it works. Must be some order thing...
alanorth commented 2015-03-18 16:35:23 +01:00 (Migrated from github.com)
Copy Link

According to the docs, the inheritance is conditional:

There could be several add_header directives. These directives are inherited from the previous level if and only if there are no add_header directives defined on the current level.

So I have to re-evaluate the logic... as requests in the php block get the FastCGI-Cache header, and therefore don't get the HSTS header! I could just set the HSTS header there as well I suppose...?

According to the [docs](http://nginx.org/en/docs/http/ngx_http_headers_module.html), the inheritance is conditional: > There could be several add_header directives. These directives are inherited from the previous level if and only if there are no add_header directives defined on the current level. So I have to re-evaluate the logic... as requests in the php block get the FastCGI-Cache header, and therefore don't get the HSTS header! I could just set the HSTS header there as well I suppose...?
alanorth commented 2015-03-18 17:33:46 +01:00 (Migrated from github.com)
Copy Link

See here, at least some requests to manage to set the header:

$ http --print Hh https://mjanja.ch/wordpress/wp-content/uploads/2013/10/0x8cb0d0acb5cd81ec209c6cdfbd1a0e09c2f836c0.asc --verify no                                    
/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:747: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
  InsecureRequestWarning)
GET /wordpress/wp-content/uploads/2013/10/0x8cb0d0acb5cd81ec209c6cdfbd1a0e09c2f836c0.asc HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: mjanja.ch
User-Agent: HTTPie/0.8.0

HTTP/1.1 200 OK
Accept-Ranges: bytes
Connection: keep-alive
Content-Length: 8889
Content-Type: application/octet-stream
Date: Wed, 18 Mar 2015 16:31:51 GMT
ETag: "5438f67c-22b9"
Last-Modified: Sat, 11 Oct 2014 09:21:00 GMT
Server: nginx
Strict-Transport-Security: max-age=15768000
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block

And indeed, once a client gets any HSTS header it will remember it, but we definitely need to get this on something less obscure than a random text file which lives on the server which the client is most likely NOT going to click!

See here, at least some requests to manage to set the header: ``` console $ http --print Hh https://mjanja.ch/wordpress/wp-content/uploads/2013/10/0x8cb0d0acb5cd81ec209c6cdfbd1a0e09c2f836c0.asc --verify no /usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:747: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html InsecureRequestWarning) GET /wordpress/wp-content/uploads/2013/10/0x8cb0d0acb5cd81ec209c6cdfbd1a0e09c2f836c0.asc HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate Connection: keep-alive Host: mjanja.ch User-Agent: HTTPie/0.8.0 HTTP/1.1 200 OK Accept-Ranges: bytes Connection: keep-alive Content-Length: 8889 Content-Type: application/octet-stream Date: Wed, 18 Mar 2015 16:31:51 GMT ETag: "5438f67c-22b9" Last-Modified: Sat, 11 Oct 2014 09:21:00 GMT Server: nginx Strict-Transport-Security: max-age=15768000 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block ``` And indeed, once a client gets any HSTS header it will remember it, but we definitely need to get this on something less obscure than a random text file which lives on the server which the client is most likely NOT going to click!
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: alanorth/ansible-personal#7
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?