v1.13.1 forcing HSTS (Strict-Transport-Security: max-age=15552000; includeSubDomains)



  • Cannot avoid HSTS header even if "Strict Transport Security" disabled

    $ curl -I http://localhost:4567/bb
    HTTP/1.1 200 OK
    X-DNS-Prefetch-Control: off
    X-Frame-Options: SAMEORIGIN
    Strict-Transport-Security: max-age=15552000; includeSubDomains
    X-Download-Options: noopen
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    Referrer-Policy: strict-origin-when-cross-origin
    X-Powered-By: NodeBB
    set-cookie: _csrf=pKgoXIjK_9iHKUbVENcTWsLD; Path=/; HttpOnly; Secure; SameSite=Strict
    Content-Type: text/html; charset=utf-8
    Content-Length: 33997
    ETag: W/"84cd-69RT9fU0GKhJKDANsNxdPOrjvls"
    Vary: Accept-Encoding
    Date: Wed, 15 Jan 2020 18:57:13 GMT
    Connection: keep-alive
    

    Screenshot from 2020-01-15 14-00-17.png


  • Admin Staff

    Did you restart nodebb after changing the setting?



  • yes. I did restart.

    I would guess that happens because of
    webserver.js:22:var helmet = require('helmet');

    which has

    var DEFAULT_MIDDLEWARE = [
      'dnsPrefetchControl',
      'frameguard',
      'hidePoweredBy',
      'hsts', // <<<<<<<<<<<<<<<<<<
      'ieNoOpen',
      'noSniff',
      'xssFilter'
    ]
    

  • Admin Staff

    @vf144 thanks for looking into this. This commit should fix the issue.



  • Yes. It is working now.

    Thanks!


Log in to reply
 

Suggested Topics

  • 3
  • 3
  • 2
  • 4
  • 2
| |