Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(mc-html-template): make transport security configurable #2244

Merged
merged 3 commits into from
Jun 4, 2021
Merged

feat(mc-html-template): make transport security configurable #2244

merged 3 commits into from
Jun 4, 2021

Conversation

tdeekens
Copy link
Contributor

@tdeekens tdeekens commented Jun 4, 2021

Summary

Instead of changing the default let's make it configurable.

@changeset-bot
Copy link

changeset-bot bot commented Jun 4, 2021
edited
Loading

🦋 Changeset detected

Latest commit: eeb6322

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 4 packages
Name Type
@commercetools-frontend/application-config Patch
@commercetools-frontend/mc-html-template Patch
@commercetools-frontend/cypress Patch
@commercetools-frontend/mc-scripts Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@vercel
Copy link

vercel bot commented Jun 4, 2021
edited
Loading

This pull request is being automatically deployed with Vercel (learn more).
To see the status of your deployment, click below or on the icon next to each commit.

🔍 Inspect: https://vercel.com/commercetools/merchant-center-application-kit/DcuKXrH9RyxG12n8kYcxhAqFornQ
✅ Preview: https://merchant-cente-git-feat-transport-security-commer-3b8cbe.vercel.app

@vercel vercel bot temporarily deployed to Preview June 4, 2021 11:13 Inactive
@vercel vercel bot temporarily deployed to Preview June 4, 2021 11:21 Inactive
@vercel vercel bot temporarily deployed to Preview June 4, 2021 11:56 Inactive
@tdeekens tdeekens merged commit 118efed into main Jun 4, 2021
@tdeekens tdeekens deleted the feat/transport-security branch June 4, 2021 12:32
@ghost ghost mentioned this pull request Jun 4, 2021
Merged
emmenko
emmenko reviewed Jun 21, 2021
View reviewed changes
packages/application-config/schema.json
},
"strictTransportSecurity": {
"description": "Additional configuration for the HTTP Strict-Transport-Security header (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security)",
"$ref": "#/definitions/hstsDirective"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: a ref is only useful if you reuse the object within the schema. In this case you could just "inline" it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure I recall 100% but inlining it might have produced different typings.

packages/mc-html-template/src/process-headers.js
@@ -120,7 +120,9 @@ const processHeaders = (applicationConfig) => {
);

return {
'Strict-Transport-Security': 'max-age=31536000; includeSubDomains; preload',
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So the preload option is now NOT a default anymore? Any particular reason for that?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The preload wasn't default before. The steps we took where while we only had max-age:

  1. Add includeSubDomains and preload
  2. Reflect and consider making it configurable and hence remove the just added defaults

All cause we wanted to integrate this change slowly one app first. Now that it runs for a week or two we could remove the configuration option or change the default.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, I didn't see the other PR #2242 🤦‍♂️

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@emmenko emmenko emmenko left review comments

@pa3 pa3 pa3 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tdeekens @emmenko @pa3