HTTP strict transport security
David Oliver
27 February 2014, 15:18
Hello Hugo,
After doing a little reading on the HTTP strict transport security header, I noticed that my Hiawatha-served SSL/TLS sites’ responses already have a 'Strict-Transport-Security: max-age=31536000' header. A couple of questions:
1. Under what circumstances is this header applied? (I'm using RequireSSL, but I suppose the header may be applied to all SSL sites.)
2. If PHP sends a new 'Strict-Transport-Security' header with a value such as 'max-age=86400; includeSubDomains', should this new value take effect okay?
Many thanks.
Hugo Leisink
27 February 2014, 15:21
The header is sent when RequiredSSL is set to 'yes'. Hiawatha ignores any such header sent by PHP, so you'll end up with two headers if done so.
David Oliver
27 February 2014, 15:29
Thanks - that's good to know.
Is it impossible to prevent Hiawatha from setting that header via PHP? I suspect not, and that I'd need to turn RequireSSL off if a custom value is required?
Hugo Leisink
27 February 2014, 15:33
Indeed. Turn off RequiredSSL and check for usage of HTTPS in your PHP code:
$_SERVER["HTTPS"] = "on" / "off"
$_SERVER["HTTP_SCHEME"] = "http" / "https"
David Oliver
27 February 2014, 15:42
Righty-ho. Thanks!
This topic has been closed.