Strict-Transport-Security header has incorrect format

silverstripe / cwp-installer

CWP project template

BSD 3-Clause "New" or "Revised" License

0 stars 5 forks source link

Strict-Transport-Security header has incorrect format #29

Closed sig-steve closed 5 years ago

sig-steve commented 5 years ago

The Strict Transport Security header defined in /app/_config/security.yml has the wrong format for the max-age parameter. It should be max-age=300, not max-age: 300.

Expected result

Developer tools console does not have warnings

Actual result (in Firefox)

Strict-Transport-Security: The site specified a header that could not be parsed successfully.

brynwhyman commented 5 years ago

Thanks for raising this! Docs to confirm the syntax: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html#examples

There's also a yaml example comment that should be updated in https://github.com/silverstripe/cwp-core/blob/2.4/src/Control/InitialisationMiddleware.php#L64

brynwhyman commented 5 years ago

Hi @sig-steve, we've fixed this but it will need another module release before the fix is available outside the development branch. A release of version 2.5 for CWP is scheduled for early December.

Assuming you've already fixed this in your project code, I'm going to close this issue. Thanks!

sig-steve commented 5 years ago

Thank you! That's great news.