v1.13.1 forcing HSTS (Strict-Transport-Security: max-age=15552000; includeSubDomains)

vf144

Cannot avoid HSTS header even if "Strict Transport Security" disabled

$ curl -I http://localhost:4567/bb
HTTP/1.1 200 OK
X-DNS-Prefetch-Control: off
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Download-Options: noopen
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
X-Powered-By: NodeBB
set-cookie: _csrf=pKgoXIjK_9iHKUbVENcTWsLD; Path=/; HttpOnly; Secure; SameSite=Strict
Content-Type: text/html; charset=utf-8
Content-Length: 33997
ETag: W/"84cd-69RT9fU0GKhJKDANsNxdPOrjvls"
Vary: Accept-Encoding
Date: Wed, 15 Jan 2020 18:57:13 GMT
Connection: keep-alive

baris

Did you restart nodebb after changing the setting?

vf144

yes. I did restart.

I would guess that happens because of
webserver.js:22:var helmet = require('helmet');

which has

var DEFAULT_MIDDLEWARE = [
  'dnsPrefetchControl',
  'frameguard',
  'hidePoweredBy',
  'hsts', // <<<<<<<<<<<<<<<<<<
  'ieNoOpen',
  'noSniff',
  'xssFilter'
]

baris

@vf144 thanks for looking into this. This commit should fix the issue.

vf144

Yes. It is working now.

Thanks!