After upgrading to 1.9.0.beta3 , the SSL(Let’s Encrypt) rating has changed from A+ to A,the problem is HSTS.
Thanks very much
1 Like
What is the problem with HSTS?
Using the ssllabs.com query, HTTP Strict Transport Security (HSTS) with long duration deployed on this server this sentence disappears . Thank you.
The default HSTS configuration is compliant with the SSL Labs recommendations. What site are you testing, and what changes have you made to the default discourse_docker templates?
I have nothing to change, completely default. My website is https://www.xxxx.com/
Your site is not sending an HSTS header at all. You’re also sending a header that was reverted from the default template nine days ago. Whatever you’re doing over there, it isn’t what we recommend.
4 Likes
Working fine on my self hosted by the book install of Discourse
3 Likes
Hmm, plausible, as I did a command line rebuild yesterday cc @falco.
1 Like
Can confirm discourse.codinghorror.com is no longer sending a HSTS header at all:
$ wget -O /dev/null -S https://discourse.codinghorror.com -q
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 13 Jul 2017 22:04:15 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Discourse-Route: list/latest
Cache-Control: no-store, must-revalidate, no-cache, private
X-Discourse-Cached: true
X-Request-Id: f40d4ea9-375a-4a9e-b6e1-c7500ffa194f
X-Runtime: 0.002585
X-Discourse-TrackView: 1
Referrer-Policy: no-referrer-when-downgrade
2 Likes
Yeah, I made a mistake when I added the Referrer-Policy header.
nginx add_header lack of support for inheritance got me there.
Will fix soon.
9 Likes
Awwwwwwww yeah… we’ve all been to that circle of hell.
6 Likes
Rebuild a site to test this in action:
https://github.com/discourse/discourse_docker/commit/42504d319c1c7abe8501e8db4efcf1707aaaa240
6 Likes
8 Likes