Closed Noodleyman closed 5 years ago
abrookbanks
commented
5 years ago Ideally this should be more "hard baked" but that's not so easy for new stores without SSL configured yet. I expect this solution is acceptable. Once the browser has received this header it should be strict to SSL only.
abrookbanks
commented
5 years ago I do fear however that it might stop the store admin being able to login without SSL in the admin CP making config mistakes hard to recover from.
havenswift-hosting
commented
5 years ago I am extremely dubious about HSTS being controlled by any application and automatically adding the preload directive even more so.
You mentioned in a different issue "includeSubDomains wouldn't be acceptable as we don't necessarily want all subdomains to have this policy." however, "includeSubDomains" being included is a pre-condition of including preload and it does include ALL sub-domains including www
See https://hstspreload.org/ where it is clearly stated it should be Opt-In and also about the consequences of removal
I believe this should not be controlled by CubeCart and should be removed. It is cool and great when setup correctly but the potential for problems is massive
abrookbanks
commented
5 years ago Wise words. Better to not support this than to cause significant headaches to merchants.
This can be added reasonably easily to the htaccess file when SSL mode is enabled. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
https://observatory.mozilla.org/analyze/demo.cubecart.com