Closed ghost closed 8 years ago
@jmcampanini
we originally had HSTS available but turned off by default in the bundle. the reasoning for removing it are:
thoughts? i'd be open to adding it in, but i'd want the default to be OFF if we did.
Yep, makes sense that this header should live with the reverse proxy when you have multiple apps behind the same proxy instance. In the case where you're not using a proxy it's not particularly onerous to spin up nginx and configure this header. I'll close out this PR.
cool. would be willing to revisit if this comes up in the field more. maybe add it as an off-by-default option (with a big warning).
This adds the Strict-Transport-Security header with a default value of 1 year. It is enabled by default and will consequently break web apps that do not use HTTPS.