]> git.immae.eu Git - github/Chocobozzz/PeerTube.git/commitdiff
make HSTS opt-in and leave it to the reverse-proxy
authorRigel Kent <sendmemail@rigelk.eu>
Sun, 9 Sep 2018 20:10:38 +0000 (22:10 +0200)
committerRigel Kent <sendmemail@rigelk.eu>
Sun, 9 Sep 2018 20:10:38 +0000 (22:10 +0200)
server.ts
support/nginx/peertube

index 2db39ab06c3c0813d4449f4ee3ba1219cbae825f..76d00edd3ae77ee0b2b6add58b1c461dbcb2a188 100644 (file)
--- a/server.ts
+++ b/server.ts
@@ -55,7 +55,8 @@ app.set('trust proxy', CONFIG.TRUST_PROXY)
 app.use(helmet({
   frameguard: {
     action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts
-  }
+  },
+  hsts: false
 }))
 
 // ----------- Database -----------
index 0720dbd979a0feb05fb5857735c5f1336dd09938..5d97c0cf1b2c474cffa1ef8114bafe6676eb05ee 100644 (file)
@@ -44,7 +44,11 @@ server {
   gzip_types text/css text/html application/javascript;
   gzip_vary on;
 
-  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+  # Enable HSTS
+  # Tells browsers to stick with HTTPS and never visit the insecure HTTP
+  # version. Once a browser sees this header, it will only visit the site over
+  # HTTPS for the next 2 years: (read more on hstspreload.org)
+  #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
 
   access_log /var/log/nginx/peertube.example.com.access.log;
   error_log /var/log/nginx/peertube.example.com.error.log;