madmatt
commented
5 years ago We should ideally add this to htaccess rather than in PHP code, so that it also applies to all requests for static files on CWP. However that's a little more annoying as it's harder to control based on environment.
In particular, you'd normally want to exclude dev environments from enforcing this - while provisioners like Vagrant and Docker could handle this for people automatically during bootstrapping, I don't think they're in common enough use.
Note: The above applies more for the Director::forceSSL() call than the Strict-Transport-Security header application, because STS only kicks in if the site you're on is delivered over https. So you need to have both Director::forceSSL() and HTTPResponse->addHeader('Strict-Transport-Security', 'max-age=x') headers to actually make this work.
In the past, we've done this via a middleware/request processor rather than in PageController, so it applies everywhere including the CMS, and then backed that up with htaccess rules, although realistically only one is really necessary.
chillu
robbieaverill
Overview
See https://docs.silverstripe.org/en/4/developer_guides/security/secure_coding/#security-headers. If we add this to
Page_Controllerrather thanBasePageController, it only applies to new projects automatically - so doesn't constitute a semver breakage that'll catch out sites which aren't on HTTPS already.Aside: In the CWP ecosystem, Incapsula provides default certs, so every site has the ability to be served with or without TLS/SSL. But not all sites can enforce SSL only, because third party client-side assets aren't available via SSL, and would cause mixed content warnings. The one example I had in mind (http://www.journeys.nzta.govt.nz/ using Metservice APIs) has since been fixed. We could treat this as an exception rather than the rule, and allow opt-out?
Mention this in the relevant docs:
Pull Requests