Support setting Strict Transport Security

Request new functionality here
sztanpet
Bear Rating Trainee
Bear Rating Trainee
Posts: 8
Joined: 21 Aug 2014, 11:16

Support setting Strict Transport Security

Postby sztanpet » 21 Aug 2014, 11:38

Hi,
I would like to ask for STS to be supported (and possibly other headers like X-Frame-Options and Content-Security-Policy) with possibly defaulting to caching images where the image is on a non-https site and serving it (altho, that seems to be broken at this time for me, will make another topic about it).

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: Support setting Strict Transport Security

Postby fox » 21 Aug 2014, 11:52

Yeah implementing all this spergtastic masturbatory shit of privacy freaks seems like an excellent idea

>altho, that seems to be broken at this time for me, will make another topic about it).

Please don't.

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: Support setting Strict Transport Security

Postby fox » 21 Aug 2014, 11:53

btw this forum is not Secured Over Ssl so maybe you should consider not posting on it as it is not secure is what I'm saying

sztanpet
Bear Rating Trainee
Bear Rating Trainee
Posts: 8
Joined: 21 Aug 2014, 11:16

Re: Support setting Strict Transport Security

Postby sztanpet » 21 Aug 2014, 11:57

Would you accept a pull-request with this feature or supporting this is out of the question?

xaberus
Bear Rating Trainee
Bear Rating Trainee
Posts: 14
Joined: 20 Mar 2013, 15:02

Re: Support setting Strict Transport Security

Postby xaberus » 21 Aug 2014, 13:45

@fox, while I agree about the not implementing part, I cannot subscribe for the other part...

@sztanpet, I always thought that STS and friends should be implemented on the server side, (i.e apache, nginx, you-name-it), like I am using them for almost a year now. Implementing this in the actual apps leads to an uncontrollable inconsistent mess, which you probably do not want to be in. On the other hand, if you do not have control over the server than your privacy has already been violated by a foreign party and this is exactly what fox was complaining about, right?

jmozmoz
Bear Rating Trainee
Bear Rating Trainee
Posts: 26
Joined: 14 Apr 2013, 18:07

Re: Support setting Strict Transport Security

Postby jmozmoz » 21 Aug 2014, 22:59

You might try this plugin: https://github.com/jmozmoz/remove_external_content It replaces image/attachment on external hosts content with a link to them. You can turn it on and off with an icon in them menu bar (reload of the current feed necessary to take effect).

@fox: please add the plugin to the list in the wiki. Thanks

xtaz
Bear Rating Master
Bear Rating Master
Posts: 174
Joined: 24 Dec 2009, 16:48

Re: Support setting Strict Transport Security

Postby xtaz » 22 Aug 2014, 17:15

HSTS should definitely be implemented on the webserver rather than the content. Otherwise you could end up in situations where the header is sent when the host doesn't even support SSL, or having the header sent twice. It's easy enough to configure on the webserver. For example I use nginx and you just have to add something like this to the config if you want it.

Code: Select all

add_header Strict-Transport-Security "max-age=31536000";

macfly
Bear Rating Disaster
Bear Rating Disaster
Posts: 82
Joined: 27 Mar 2013, 23:07

Re: Support setting Strict Transport Security

Postby macfly » 22 Aug 2014, 18:27

yeah, and in apache:

Code: Select all

Header add Strict-Transport-Security "max-age=31536000; includeSubDomains"

sztanpet
Bear Rating Trainee
Bear Rating Trainee
Posts: 8
Joined: 21 Aug 2014, 11:16

Re: Support setting Strict Transport Security

Postby sztanpet » 05 Sep 2014, 00:49

For the record, it's required in both because lighttpd for example does not touch the headers returned from the cgi apps.

JustAMacUser
Bear Rating Overlord
Bear Rating Overlord
Posts: 373
Joined: 20 Aug 2013, 23:13

Re: Support setting Strict Transport Security

Postby JustAMacUser » 05 Sep 2014, 06:48

I use Nginx, but I cannot imagine that lighttpd doesn't let you modify headers when passing through scripts.

Nevertheless, as others have said, the layer that handles the "transport" should be the one handling the rules for said transport. In other words, the web server; not some arbitrary application.


Return to “Feature requests”

Who is online

Users browsing this forum: No registered users and 6 guests