Improve HSTS header

- always set the header to make it hopefully appear on redirect as well (https://fedorahosted.org/fedora-infrastructure/ticket/2888#comment:11) - set preload, to make it more likely that subdomains can be added to preload list
2015-02-04 11:44:35 +01:00 · 2015-02-04 11:44:35 +01:00 · e67081afe1
commit e67081afe1
parent 49e1e87d10
3 changed files with 3 additions and 3 deletions
--- a/roles/anitya/frontend/files/0_releasemonitoring.conf
+++ b/roles/anitya/frontend/files/0_releasemonitoring.conf
@ -9,7 +9,7 @@
   SSLEngine on
   SSLProtocol all -SSLv2 -SSLv3
   # Use secure TLSv1.1 and TLSv1.2 ciphers
-   Header add Strict-Transport-Security "max-age=15768000"
+   Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"

   SSLCertificateFile /etc/pki/tls/certs/release-monitoring.org.cert
   SSLCertificateChainFile /etc/pki/tls/certs/release-monitoring.org.intermediate.cert
--- a/roles/copr/frontend/files/httpd/coprs_ssl.conf
+++ b/roles/copr/frontend/files/httpd/coprs_ssl.conf
@ -4,7 +4,7 @@
    # Use secure TLSv1.1 and TLSv1.2 ciphers
    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5
    SSLHonorCipherOrder on
-    Header add Strict-Transport-Security "max-age=15768000"
+    Header always add Strict-Transport-Security "max-age=15768000; preload"

    SSLCertificateFile /etc/pki/tls/ca.crt
    SSLCertificateKeyFile /etc/pki/tls/private/ca.key
--- a/roles/httpd/reverseproxy/templates/reversepassproxy.id.conf
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.id.conf
@ -26,7 +26,7 @@ RewriteRule ^([a-z0-9-]+)\.id\.fedoraproject\.org/.* {{proxyurl}}/openid/id/$1/
 RewriteCond %{HTTPS} off
 RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L]

-Header add Strict-Transport-Security "max-age=15768000"
+Header always add Strict-Transport-Security "max-age=15768000; preload"


 RewriteRule ^(.+) - [PT]