Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default to HSTS only over secure connections #196

Merged
merged 2 commits into from
Jul 8, 2019
Merged

Default to HSTS only over secure connections #196

merged 2 commits into from
Jul 8, 2019

Conversation

Malvoz
Copy link
Contributor

@Malvoz Malvoz commented Jul 6, 2019
edited
Loading

Fix #194.

Removes ENV=https example per #194 (comment), and set "expr=%{HTTPS} == 'on'" as default.

Also replaces occurrences of "SSL" (Secure Socket Layer) with TLS (Transport Layer Security) as SSL is deprecated.

LeoColomb
LeoColomb approved these changes Jul 6, 2019
View reviewed changes
Copy link
Member

@LeoColomb LeoColomb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks @Malvoz!
Big 👍 for the documentation updates.
But I do want to test is, ideally with CI (we need #188! 😉)

@LeoColomb LeoColomb requested a review from XhmikosR July 6, 2019 19:28
@LeoColomb
Copy link
Member

expr=value available in 2.4.10 and later

https://httpd.apache.org/docs/current/mod/mod_headers.html#Header

Ark...

@Malvoz
Copy link
Contributor Author

Malvoz commented Jul 7, 2019
edited
Loading

Ouch.. I should've verified expr support first... Do you want me to just re-add the old logic here but keep small doc changes such as replacing mentions of SSL with TLS? Then we can revisit this is the future.

@XhmikosR
Copy link
Member

XhmikosR commented Jul 8, 2019

I thought we already use expr everywhere else and the minimum Apache version is 2.4?

@LeoColomb
Copy link
Member

LeoColomb commented Jul 8, 2019
edited
Loading

we already use expr everywhere

Indeed. OK, merging.

@LeoColomb LeoColomb merged commit 5bbc0a1 into h5bp:master Jul 8, 2019
LeoColomb added a commit to h5bp/server-configs-nginx that referenced this pull request Jan 3, 2020
@LeoColomb
Improve HSTS documentation
177a5e9 
Ref: h5bp/server-configs-apache#196
DeepInThought added a commit to DeepInThought/server-configs-nginx that referenced this pull request Jan 23, 2020
@DeepInThought @LeoColomb
@jkumar-roambee @rahilarious @minusf
PR bump to 8832ef1 (#1)
e094908 
* Bump server-config-test to 1.2.1

* Additional compression method added for gzip (h5bp#236)

* Fixed description for SSL session cache & timeout (h5bp#237)

* Add  `font/ttf` & `font/eot` to compressible mime-types list (h5bp#242)

Ref:
* jshttp/mime-db#169
* developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/webfont-optimization#reducing_font_size_with_compression

* Improve HSTS documentation

Ref: h5bp/server-configs-apache#196

* Stricter default for Referrer Policy

Ref: h5bp/server-configs-apache#204

* Add funding file

* Rename no-transform.conf file to content_transformation.conf

Align with other files and with Apache struct

Co-authored-by: Léo Colombaro <git@colombaro.fr>
Co-authored-by: Jogendra Kumar <39511714+jkumar-roambee@users.noreply.github.com>
Co-authored-by: Rahil <54960886+plethorahil@users.noreply.github.com>
Co-authored-by: minusf <minusf@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LeoColomb LeoColomb LeoColomb approved these changes

@XhmikosR XhmikosR Awaiting requested review from XhmikosR

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Default HSTS to secure connections only - per advise in doc
3 participants
@Malvoz @LeoColomb @XhmikosR