make HSTS opt-in and leave it to the reverse-proxy

author Rigel Kent <sendmemail@rigelk.eu>

Sun, 9 Sep 2018 20:10:38 +0000 (22:10 +0200)

committer Rigel Kent <sendmemail@rigelk.eu>

Sun, 9 Sep 2018 20:10:38 +0000 (22:10 +0200)
author Rigel Kent <sendmemail@rigelk.eu>
Sun, 9 Sep 2018 20:10:38 +0000 (22:10 +0200)
committer Rigel Kent <sendmemail@rigelk.eu>
Sun, 9 Sep 2018 20:10:38 +0000 (22:10 +0200)
diff --git a/server.ts b/server.ts

index 2db39ab06c3c0813d4449f4ee3ba1219cbae825f..76d00edd3ae77ee0b2b6add58b1c461dbcb2a188 100644 (file)
--- a/server.ts
+++ b/server.ts
@@ -55,7 +55,8 @@ app.set('trust proxy', CONFIG.TRUST_PROXY)
  app.use(helmet({
    frameguard: {
      action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts
-  }
+  },
+  hsts: false
  }))
  
  // ----------- Database -----------
diff --git a/support/nginx/peertube b/support/nginx/peertube

index 0720dbd979a0feb05fb5857735c5f1336dd09938..5d97c0cf1b2c474cffa1ef8114bafe6676eb05ee 100644 (file)
--- a/support/nginx/peertube
+++ b/support/nginx/peertube
@@ -44,7 +44,11 @@ server {
    gzip_types text/css text/html application/javascript;
    gzip_vary on;
  
-  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+  # Enable HSTS
+  # Tells browsers to stick with HTTPS and never visit the insecure HTTP
+  # version. Once a browser sees this header, it will only visit the site over
+  # HTTPS for the next 2 years: (read more on hstspreload.org)
+  #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
  
    access_log /var/log/nginx/peertube.example.com.access.log;
    error_log /var/log/nginx/peertube.example.com.error.log;
author	Rigel Kent <sendmemail@rigelk.eu>
	Sun, 9 Sep 2018 20:10:38 +0000 (22:10 +0200)
committer	Rigel Kent <sendmemail@rigelk.eu>
	Sun, 9 Sep 2018 20:10:38 +0000 (22:10 +0200)
server.ts		patch \| blob \| history
support/nginx/peertube		patch \| blob \| history