From 6328da8c017cf00d3c0ac8824ec5af128f6db42e Mon Sep 17 00:00:00 2001 From: Rigel Kent Date: Sun, 9 Sep 2018 22:10:38 +0200 Subject: [PATCH] make HSTS opt-in and leave it to the reverse-proxy --- server.ts | 3 ++- support/nginx/peertube | 6 +++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/server.ts b/server.ts index 2db39ab06..76d00edd3 100644 --- a/server.ts +++ b/server.ts @@ -55,7 +55,8 @@ app.set('trust proxy', CONFIG.TRUST_PROXY) app.use(helmet({ frameguard: { action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts - } + }, + hsts: false })) // ----------- Database ----------- diff --git a/support/nginx/peertube b/support/nginx/peertube index 0720dbd97..5d97c0cf1 100644 --- a/support/nginx/peertube +++ b/support/nginx/peertube @@ -44,7 +44,11 @@ server { gzip_types text/css text/html application/javascript; gzip_vary on; - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; + # Enable HSTS + # Tells browsers to stick with HTTPS and never visit the insecure HTTP + # version. Once a browser sees this header, it will only visit the site over + # HTTPS for the next 2 years: (read more on hstspreload.org) + #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; access_log /var/log/nginx/peertube.example.com.access.log; error_log /var/log/nginx/peertube.example.com.error.log; -- 2.41.0