search

cloudfoundry / docs-buildpacks

http://docs.cloudfoundry.org/buildpacks/
Apache License 2.0
21 stars 118 forks source link

Staticfile Buildpack HSTS settings do not inherit #253

Closed dmarmugi closed 3 years ago

dmarmugi commented 4 years ago

The Staticfile buildpack config-options include notes like

Note: Setting this property to true also makes http_strict_transport_security and http_strict_transport_security_include_subdomains default to true. I'm not sure whether this is an issue with the docs or with the buildpack,

but they're not true.

For instance, this Staticfile doesn't include the include_subdomains toggle, and as a result it's missing from the returned header 

$ curl -si 'https://response-test.g4.app.cloud.comcast.net' | grep Strict                                                                                                                
Strict-Transport-Security: max-age=31536000; preload
$ cat Staticfile                                                                                                                                                                         
http_strict_transport_security_preload: true
http_strict_transport_security: true

This is behavior is borne out in the code for the buildpack, which requires each toggle independently.

I'll happily PR to either here or the buildpack if needed, once the intended behavior is confirmed.

cf-gitbot commented 4 years ago

We have created an issue in Pivotal Tracker to manage this. Unfortunately, the Pivotal Tracker project is private so you may be unable to view the contents of the story.

The labels on this github issue will be updated when the story is started.

mlimonczenko commented 4 years ago

Thank you, @dmarmugi! PR is preferred. Feel free to close this out and let me know when you've PRed.

dmarmugi commented 4 years ago

hi @mlimonczenko -- Sorry if I wasn't clear. I meant we can correct the documentation to align with the current behavior, or submit a PR to the buildpack to align the behavior with the current documentation, at your discretion. Thanks, -david

mlimonczenko commented 4 years ago

I see. Thank you for the clarity.

mlimonczenko commented 3 years ago

Hello @dmarmugi,

We were unable to prioritize this request at the time the issue was filed.

If this issue is still relevant, submit a new pull request (preferred) or a new GitHub issue.

I am closing this request. Thank you so much for your contribution.