Apache will set strict/HSTS for rails in production#23742
Apache will set strict/HSTS for rails in production#23742Fryguy merged 1 commit intoManageIQ:masterfrom
Conversation
This avoids setting the same header value twice. CP4AIOPS-25657 See: ManageIQ/manageiq-appliance#402 ManageIQ/manageiq-pods#1347
|
Before: 
|
|
After: 
|
jrafanie
changed the title
|
Checked commit jrafanie@1833566 with ruby 3.3.10, rubocop 1.56.3, haml-lint 0.69.0, and yamllint |
| config.hsts = "max-age=#{20.years.to_i}" | ||
| # Only set HSTS in development/test where Apache isn't fronting Rails | ||
| # In production, Apache sets HSTS (see manageiq-https-application.conf line 15) | ||
| config.hsts = Rails.env.production? ? SecureHeaders::OPT_OUT : "max-age=#{20.years.to_i}" |
There was a problem hiding this comment.
I'm fine merging this for now because production is when we have Apache but I wonder if it's better to check something else that says that Apache is fronting it. Off hand I'm not sure what that is.
There was a problem hiding this comment.
Note, I wonder if we need to do the same thing with other options here to make sure they're not duplicated but let's tackle that later. I agree with your thinking.
There was a problem hiding this comment.
I thought we had something somewhere to say whether or not to serve static assets. Maybe that was something else
|
Curious that the max age number was different. I thought you had the same number on all the places |
|
@Fryguy I'm not sure what's going on with the security test |
too much load maybe? |
|
ok, 💚 now @Fryguy |
3 participants
This avoids setting the same header value twice.
CP4AIOPS-25657
See:
ManageIQ/manageiq-appliance#402
ManageIQ/manageiq-pods#1347