Skip to content

Commit

Permalink
Disable HSTS includeSubdomains by default
Browse files Browse the repository at this point in the history 
Ref #741

This changes the default for HSTS' `includeSubdomains` value from `true`
to `false`. Previously a user visiting a WordPress site would result in
HSTS being enabled in their browser for _all_ subdomains of the site's
domain. Now HSTS will only apply to the hostnames activately managed by
Trellis in the `wordpress_sites.yml` config.

This is a safer default since subdomains can frequently exist without
SSL.
  • Loading branch information
@swalkinshaw
swalkinshaw committed Jul 20, 2022
1 parent 5827b36 commit 28d1beb
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion roles/wordpress-setup/defaults/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ nginx_sites_confs:

# HSTS defaults
nginx_hsts_max_age: 31536000
nginx_hsts_include_subdomains: true
nginx_hsts_include_subdomains: false
nginx_hsts_preload: false

# HSTS helpers
Expand Down

0 comments on commit 28d1beb

Please sign in to comment.