• HOME
    • PRODUCT
    • PRICING
    • ABOUT
    • COMMUNITY
    Menu
    • HOME
    • PRODUCT
    • PRICING
    • ABOUT
    • COMMUNITY
    Get in touch
    Get in touch
    Menu
    • HOME
    • PRODUCT
    • PRICING
    • ABOUT
    • COMMUNITY
    • Sign in
    • Start free trial
    • Get in touch
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Popular
    • Tags
    • Users
    • Groups
    • Documentation
      • Home
      • Read API
      • Write API
      • Plugin Development
    1. Home
    2. vf144
    V
    • Profile
    • Following 0
    • Followers 0
    • Topics 1
    • Posts 3
    • Best 3
    • Controversial 0
    • Groups 0

    vf144

    @vf144

    4
    Reputation
    6
    Profile views
    3
    Posts
    0
    Followers
    0
    Following
    Joined Last Online

    vf144 Unfollow Follow

    Best posts made by vf144

    • v1.13.1 forcing HSTS (Strict-Transport-Security: max-age=15552000; includeSubDomains)

      Cannot avoid HSTS header even if "Strict Transport Security" disabled

      $ curl -I http://localhost:4567/bb
      HTTP/1.1 200 OK
      X-DNS-Prefetch-Control: off
      X-Frame-Options: SAMEORIGIN
      Strict-Transport-Security: max-age=15552000; includeSubDomains
      X-Download-Options: noopen
      X-Content-Type-Options: nosniff
      X-XSS-Protection: 1; mode=block
      Referrer-Policy: strict-origin-when-cross-origin
      X-Powered-By: NodeBB
      set-cookie: _csrf=pKgoXIjK_9iHKUbVENcTWsLD; Path=/; HttpOnly; Secure; SameSite=Strict
      Content-Type: text/html; charset=utf-8
      Content-Length: 33997
      ETag: W/"84cd-69RT9fU0GKhJKDANsNxdPOrjvls"
      Vary: Accept-Encoding
      Date: Wed, 15 Jan 2020 18:57:13 GMT
      Connection: keep-alive
      

      Screenshot from 2020-01-15 14-00-17.png

      posted in Bug Reports
      V
      vf144
    • RE: v1.13.1 forcing HSTS (Strict-Transport-Security: max-age=15552000; includeSubDomains)

      yes. I did restart.

      I would guess that happens because of
      webserver.js:22:var helmet = require('helmet');

      which has

      var DEFAULT_MIDDLEWARE = [
        'dnsPrefetchControl',
        'frameguard',
        'hidePoweredBy',
        'hsts', // <<<<<<<<<<<<<<<<<<
        'ieNoOpen',
        'noSniff',
        'xssFilter'
      ]
      
      posted in Bug Reports
      V
      vf144
    • RE: v1.13.1 forcing HSTS (Strict-Transport-Security: max-age=15552000; includeSubDomains)

      Yes. It is working now.

      Thanks!

      posted in Bug Reports
      V
      vf144

    Latest posts made by vf144

    • RE: v1.13.1 forcing HSTS (Strict-Transport-Security: max-age=15552000; includeSubDomains)

      Yes. It is working now.

      Thanks!

      posted in Bug Reports
      V
      vf144
    • RE: v1.13.1 forcing HSTS (Strict-Transport-Security: max-age=15552000; includeSubDomains)

      yes. I did restart.

      I would guess that happens because of
      webserver.js:22:var helmet = require('helmet');

      which has

      var DEFAULT_MIDDLEWARE = [
        'dnsPrefetchControl',
        'frameguard',
        'hidePoweredBy',
        'hsts', // <<<<<<<<<<<<<<<<<<
        'ieNoOpen',
        'noSniff',
        'xssFilter'
      ]
      
      posted in Bug Reports
      V
      vf144
    • v1.13.1 forcing HSTS (Strict-Transport-Security: max-age=15552000; includeSubDomains)

      Cannot avoid HSTS header even if "Strict Transport Security" disabled

      $ curl -I http://localhost:4567/bb
      HTTP/1.1 200 OK
      X-DNS-Prefetch-Control: off
      X-Frame-Options: SAMEORIGIN
      Strict-Transport-Security: max-age=15552000; includeSubDomains
      X-Download-Options: noopen
      X-Content-Type-Options: nosniff
      X-XSS-Protection: 1; mode=block
      Referrer-Policy: strict-origin-when-cross-origin
      X-Powered-By: NodeBB
      set-cookie: _csrf=pKgoXIjK_9iHKUbVENcTWsLD; Path=/; HttpOnly; Secure; SameSite=Strict
      Content-Type: text/html; charset=utf-8
      Content-Length: 33997
      ETag: W/"84cd-69RT9fU0GKhJKDANsNxdPOrjvls"
      Vary: Accept-Encoding
      Date: Wed, 15 Jan 2020 18:57:13 GMT
      Connection: keep-alive
      

      Screenshot from 2020-01-15 14-00-17.png

      posted in Bug Reports
      V
      vf144

    Get Started

    • Product
    • Pricing

    Resources

    • Demo Site
    • Answers
    • Docs
    • Bug Bounty

    Company

    • About
    • Blog
    • Contact
    Start Free Trial
    Github Facebook Instagram Twitter
    © 2014 – 2022 NodeBB, Inc. — Made in Canada.
    • Terms
    • Privacy
    • GDPR
    • DMCA
    • Contact
    Menu
    • Terms
    • Privacy
    • GDPR
    • DMCA
    • Contact