I have a patch to set HSTS configuration on default SSL site. The upstream changes have been reviewed and only comment was that HSTS configuration is missing. That should correctly be here. If both the patches look good, we can commit.
-- Sunil
From d15cdbedb5284ad408d3bfe59a0d8ddc191b80ca Mon Sep 17 00:00:00 2001 From: Sunil Mohan Adapa <su...@medhas.org> Date: Sat, 22 Nov 2014 11:32:45 +0530 Subject: [PATCH 2/2] Set HSTS header on default SSL site - As Plinth is no longer responsible for managing SSL site configuration. - The HSTS header should not be set for non-secure requests as per RFC. - Enable for all sub-domains also for slightly better security. All subdominas for FreedomBox are likely to have SSL as well and are likely to be configured using freedombox-setup. --- setup.d/90_apache2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/setup.d/90_apache2 b/setup.d/90_apache2 index 10b32f9..09acd0a 100755 --- a/setup.d/90_apache2 +++ b/setup.d/90_apache2 @@ -15,6 +15,11 @@ a2dissite 000-default # setup freedombox site cat > /etc/apache2/sites-available/fbx.conf <<'EOF' +## +## Enable HSTS, even for subdomains. +## +Header set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS + <VirtualHost *:80> ServerName fbx AddDefaultCharset UTF-8 -- 2.1.1
signature.asc
Description: OpenPGP digital signature
