Receiving 2 strict-transport-security headers with different times

NitrouZ root at xtremenitro.org
Sun Feb 8 04:43:47 UTC 2015 

Hi,

Glad to help.

Cheers.

On Sunday, February 8, 2015, deltaxfx <nginx-forum at nginx.us> wrote:

> dewanggaba, your hint was correct. Even though I am using the NGINX config
> supplied by ownCloud, there was still a setting in the admin panel to force
> HTTPS, which also sends an HSTS header. But the kicker is, if force HTTPS
> (in PHP) is set to off (and just forced through the server config),
> ownCloud
> sends an HSTS header for max-age=0!
> This is ownCloud 7.0.4 (stable).
> Here is the relevant code in case it helps anyone who might be searching
> for
> the same thing in the future:
>
>
> public static function checkSSL() {
>                 // redirect to https site if configured
>                 if (\OC::$server->getSystemConfig()->getValue('forcessl',
> false)) {
>                         // Default HSTS policy
>                         $header = 'Strict-Transport-Security:
> max-age=31536000';
>                         // If SSL for subdomains is enabled add ";
> includeSubDomains" to the
> header
>
> if(\OC::$server->getSystemConfig()->getValue('forceSSLforSubdomains',
> false)) {
>                                 $header .= '; includeSubDomains';
>                         }
>                         header($header);
>                         ini_set('session.cookie_secure', 'on');
>                         if (OC_Request::serverProtocol() <> 'https' and
> !OC::$CLI) {
>                                 $url = 'https://' .
> OC_Request::serverHost() .
> OC_Request::requestUri();
>                                 header("Location: $url");
>                                 exit();
>                         }
>                 } else {
>                         // Invalidate HSTS headers
>                         if (OC_Request::serverProtocol() === 'https') {
>                                 header('Strict-Transport-Security:
> max-age=0');
>                         }
>                 }
>         }
>
> Posted at Nginx Forum:
> http://forum.nginx.org/read.php?2,256508,256513#msg-256513
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org <javascript:;>
> http://mailman.nginx.org/mailman/listinfo/nginx
>


-- 
Sent from iDewangga Device
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20150208/69fd93fc/attachment.html>

More information about the nginx mailing list