Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-24030

Configure HSTS by default

    XMLWordPrintable

    Details

    • Release Notes Summary:
      The HSTS header is enabled by default when HTTPS is in use
    • Tags:
    • Impact type:
      Configuration Change
    • Upgrade notes:
      Hide

      When HTTPS is enabled (which is the case if a non-0 value is specified for nuxeo.server.https.port), HSTS is automatically enabled with the following defaults:

      • nuxeo.server.hsts.maxage=2592000
      • nuxeo.server.hsts.includesubdomains=false
      • nuxeo.server.hsts.preload=false

      HSTS can be disabled by specifying:

      • nuxeo.server.hsts.enabled=false
      Show
      When HTTPS is enabled (which is the case if a non-0 value is specified for nuxeo.server.https.port ), HSTS is automatically enabled with the following defaults: nuxeo.server.hsts.maxage =2592000 nuxeo.server.hsts.includesubdomains =false nuxeo.server.hsts.preload =false HSTS can be disabled by specifying: nuxeo.server.hsts.enabled =false
    • Sprint:
      nxcore 10.1.1
    • Story Points:
      1

      Description

      The HSTS (HTTP Strict Transport Security) header should be enabled by default when HTTPS is in use.

      Let's also add a nuxeo.conf property to allow disabling this if a customer wants both HTTP and HTTPS, but the default should be that HSTS is enabled.

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 hour
                1h