On further reflection, I decided not to include the "Strict-Transport- Security" header in Mahara core. It has too much potential to cause problems for site admins. If one of them did want to serve HTTP & HTTPS content off the same domain (i.e. https://example.com/mahara & http://example.com/insecure/) they probably wouldn't notice this setting until after it was causing problems, and once they reached that point, there would be no easy way to roll back the problem. See http://stackoverflow.com/questions/10629397/how-to-disable-http-strict- transport-security
The only way to revert Strict-Transport-Security (ie. HSTS) once it has been sent out, is: 1. Wait out the max-age period 2. Have *all* your site users clear their individual browser caches 3. Have the HTTPS version of your site serve a Strict-Transport-Security page with max-age:0. (But, you have to keep this up until *all* affected visitors have been served a copy of it.) Of course, this difficulty in reversing it is by design. That's the whole point of this setting! But for us, because this setting will cause nearly irreversible problems for the few sites where it is not appropriate, it would be irresponsible of us to turn it on automatically. -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1531987 Title: Review HTTP headers to improve security Status in Mahara: Confirmed Status in Mahara 1.10 series: Confirmed Status in Mahara 15.04 series: Confirmed Status in Mahara 15.10 series: Confirmed Bug description: We need to review our HTTP headers to improve security and check which ones we should include per default and which ones might need to be configurable. The review will include but is not limited to: - Strict-Transport-Security - Content-Security-Policy - X-Frame-Options - X-XSS-Protection - X-Content-Type-Options - Server - X-Powered-By - X-Permitted-Cross-Domain-Policies - Caching headers Initial reports for X-XSS-Protection header by SaifAllah benMassaoud and Zeeshan. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1531987/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
