The associated WR333970 has the following update from Robert: Ok, I've spoken with John Morton and now I understand what is happening
So I thought the issue was fixed because I was using a firefox browser and it was only showing the first Strict-Transport-Security header (the one set by Mahara) but once I used the chromium browser I could see both HSTS headers being set. The one staring with 630 is Mahara's one and the one starting with 157 is the Nginx one. So yep we need to cherry-pick the https://reviews.mahara.org/#/c/10941/ patch to those sites listed (I've done/tested this out on catalyst showcase already). And once deployed out we need to login and go to Admin -> Configure site -> Site options -> Security settings and set "HSTS override" to "Yes" To verify things are working you should see in the headers strict-transport-security: max-age=15768000 and not strict-transport-security: max-age=63072000 strict-transport-security: max-age=15768000 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1875750 Title: Allow override of the HSTS setting if being set downstream Status in Mahara: Fix Committed Bug description: To avoid the Strict-Transport-Security header being set twice To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1875750/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp