Skip to content

Add HSTS middleware #905

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 3, 2025
Merged

Add HSTS middleware #905

merged 1 commit into from
Jun 3, 2025

Conversation

ekohl
Copy link
Member

@ekohl ekohl commented Sep 9, 2024

This header is entirely useless for us because the header is aimed at browsers, but some scanners still think this is needed.

This PR is not intended to be merged, but only serve as an example for how it could be implemented.

Link: https://www.tenable.com/plugins/nessus/142960

evgeni
evgeni previously approved these changes Sep 9, 2024
View reviewed changes
@evgeni
Copy link
Member

evgeni commented Sep 9, 2024

Why not merging this? If it will make people shut up, I'm all for it.

@ehelms
Copy link
Member

ehelms commented Sep 9, 2024

Why not merging this? If it will make people shut up, I'm all for it.

I am, sadly, in the same boat as this. While I detest that scanners force us into these situations, I also feel for our users and a small change that improves their experience gets my vote.

@willdarton
Copy link

I appreciate you taking the time to create a PR as a potential solution. As others have mentioned it seems like a simple fix to make the customer experience better.

@ekohl
Copy link
Member Author

ekohl commented Sep 9, 2024

I'm still tempted to detect the Nessus user agent and simply reject them to silence it. Another option is to only send it to Nessus, just to shut it up.

If we want merge this, we need to be compliant with the RFC and only send it when the connection is over TLS (RFC 6797 section 5.1). It's also good to add some tests to this.

@ekohl
Fixes #38432 - Add HSTS middleware
3ebcf1e 
This header is entirely useless for us because the header is aimed at
browsers, but some scanners still think this is needed.

Link: https://www.tenable.com/plugins/nessus/142960
@ekohl ekohl force-pushed the poc-hsts-header branch from bf91b16 to 3ebcf1e Compare May 19, 2025 13:12
@ekohl ekohl marked this pull request as ready for review May 19, 2025 13:12
@ekohl
Copy link
Member Author

ekohl commented May 19, 2025

Updated to inspect the env to detect HTTPS and added a Redmine issue.

@ehelms ehelms merged commit 910ba9c into theforeman:develop Jun 3, 2025
7 checks passed
@ekohl ekohl deleted the poc-hsts-header branch June 3, 2025 13:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ehelms ehelms ehelms approved these changes

@evgeni evgeni evgeni left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ekohl @evgeni @ehelms @willdarton