Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add HTTP strict transport security header when force SSL is enabled #1855

Merged
merged 1 commit into from
Nov 17, 2020
Merged

add HTTP strict transport security header when force SSL is enabled #1855

merged 1 commit into from
Nov 17, 2020

Conversation

robbkidd
Copy link
Contributor

@robbkidd robbkidd commented Mar 26, 2020
edited
Loading

Description

Work in progress.

  • add test for the presence of the HTTP header
  • make that test pass
  • possibly refactor tests

Related Issue

Fixes #1853

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Chore (non-breaking change that does not add functionality or fix an issue)

Checklist:

  • I have read the CONTRIBUTING document.
  • I have run the pre-merge tests locally and they pass.
  • I have updated the documentation accordingly.
  • I have added tests to cover my changes.
  • All new and existing tests passed.
  • All commits have been signed-off for the Developer Certificate of Origin.

@robbkidd robbkidd added Component: Omnibus Involving the omnibus package or its build Aspect: Security Can an unwanted third party affect the stability or look at privileged information? labels Mar 26, 2020
@robbkidd robbkidd self-assigned this Apr 20, 2020
@robbkidd robbkidd force-pushed the robb/add-hsts branch 2 times, most recently from 1a2f5a0 to d98e94b Compare November 13, 2020 20:45
@robbkidd
enable Strict-Transport-Security within web app itself
1c60562 
nginx was already redirecting incoming connections from HTTP to HTTPS if
nginx->force_ssl was set to true. But the web app was not including the
STS header. This change adds a new environment variable FORCE_SSL with a
value equal to the one set for nginx. If true, Rails' config.force_ssl
is also set to true which will cause responses to include the header.

Updated the install-check InSpec test to confirm the presence of the
HTTP Strict-Transport-Security header when force_ssl is set for the
installation.

Signed-off-by: Robb Kidd <rkidd@chef.io>
@robbkidd robbkidd changed the title 🚧 WIP: add HTTP strict transport security header when force SSL is enabled add HTTP strict transport security header when force SSL is enabled Nov 16, 2020
@robbkidd robbkidd merged commit f5d115c into master Nov 17, 2020
@robbkidd robbkidd deleted the robb/add-hsts branch November 17, 2020 21:55
@robbkidd robbkidd mentioned this pull request Nov 20, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@robbkidd robbkidd

Labels
Aspect: Security Can an unwanted third party affect the stability or look at privileged information? Component: Omnibus Involving the omnibus package or its build
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add support for HTTP Strict-Transport-Security header
1 participant
@robbkidd