After upgrading to 1.9.0.beta3 , the SSL(Let’s Encrypt) rating has changed from A+ to A,the problem is HSTS.
Thanks very much
إعجاب واحد (1)
What is the problem with HSTS?
Using the ssllabs.com query, HTTP Strict Transport Security (HSTS) with long duration deployed on this server this sentence disappears . Thank you.
The default HSTS configuration is compliant with the SSL Labs recommendations. What site are you testing, and what changes have you made to the default discourse_docker templates?
I have nothing to change, completely default. My website is https://www.xxxx.com/
Your site is not sending an HSTS header at all. You’re also sending a header that was reverted from the default template nine days ago. Whatever you’re doing over there, it isn’t what we recommend.
4 إعجابات
Working fine on my self hosted by the book install of Discourse
3 إعجابات
Hmm, plausible, as I did a command line rebuild yesterday cc @falco.
إعجاب واحد (1)
Can confirm discourse.codinghorror.com is no longer sending a HSTS header at all:
$ wget -O /dev/null -S https://discourse.codinghorror.com -q
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 13 Jul 2017 22:04:15 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Discourse-Route: list/latest
Cache-Control: no-store, must-revalidate, no-cache, private
X-Discourse-Cached: true
X-Request-Id: f40d4ea9-375a-4a9e-b6e1-c7500ffa194f
X-Runtime: 0.002585
X-Discourse-TrackView: 1
Referrer-Policy: no-referrer-when-downgrade
إعجابَين (2)
Yeah, I made a mistake when I added the Referrer-Policy header.
nginx add_header lack of support for inheritance got me there.
Will fix soon.
9 إعجابات
Awwwwwwww yeah… we’ve all been to that circle of hell.
6 إعجابات
Rebuild a site to test this in action:
https://github.com/discourse/discourse_docker/commit/42504d319c1c7abe8501e8db4efcf1707aaaa240
6 إعجابات
8 إعجابات