Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix HSTS header max-age value. #3225

Merged
merged 1 commit into from
Mar 19, 2021
Merged

Fix HSTS header max-age value. #3225

merged 1 commit into from
Mar 19, 2021

Conversation

pylr
Copy link
Contributor

@pylr pylr commented Mar 16, 2021

Wiki.js uses the wrong property to access the saved value for the max-age field of the Strict-Transport-Security HTTP response header. After enabling the "Enforce HSTS" option in the administration area, under the "Security" section, One would expect a new HTTP response header to be set like:
Strict-Transport-Security: max-age=600; includeSubDomains
Instead, this header is set:
Strict-Transport-Security: max-age=undefined; includeSubDomains
This is invalid according to RFC 6797 and we cannot expect browsers to correctly apply the intended HSTS policy.

This PR fixes this.

I have tested this change with the current dev branch on one of my servers and it's working.

@auto-assign auto-assign bot requested a review from NGPixel March 16, 2021 18:44
@NGPixel NGPixel merged commit e87d511 into requarks:dev Mar 19, 2021
jionggyu pushed a commit to jionggyu/wiki-2.5.302-patch that referenced this pull request Jul 9, 2024
@pylr
fix: HSTS header max-age value (requarks#3225)
56cbd62
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@NGPixel NGPixel NGPixel approved these changes

Assignees

@NGPixel NGPixel

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pylr @NGPixel