Преглед на файлове

Remove includeSubdomains from HSTS header

includeSubdomains can lead to issues where not all subdomains are
able to use HTTPS.  This options might be too strict for the general
case: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security.
It can be re-enabled w/ a custom template if needed.

Fixes #109
Jason Wilder преди 10 години
родител
ревизия
4a99ac5548
променени са 1 файла, в които са добавени 1 реда и са изтрити 1 реда
  1. 1 1
      nginx.tmpl

+ 1 - 1
nginx.tmpl

@@ -105,7 +105,7 @@ server {
 	ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }};
 	ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }};
 
-	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
+	add_header Strict-Transport-Security "max-age=31536000";
 
 	{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
 	include {{ printf "/etc/nginx/vhost.d/%s" $host }};