Closed PeterJCLaw closed 12 months ago
Hrm, of course the side-effect of this is that visits to http://srobo.org will never see the HSTS header since we redirect to https://studentrobotics.org rather than going up to https://srobo.org first. Not sure if that's better or not.
Somehow this prevented our X-Frame-Options and X-Content-Type-Options headers being emitted in prod. Locally those are emitted even with this change, which is very odd. I've reverted this in 5080d5d2a5eb12fc160d3484294c33c892a8b018 until we have time to properly investigate.
Summary
Some HTTPS tooling (most notably https://hstspreload.org/) warn about emitting HSTS headers on non-HTTPS connections as it has no effect. While it's slightly cleaner to have this declared upfront on all connections, restricting it to just the right places is more correct.
This change also means that we don't emit the header for other domains which happen to point at these servers (whether that's our own domains falling back to them or other ones), which also feels slightly more correct.
Code review
Testing
Links
https://hstspreload.org/?domain=studentrobotics.org