Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable HSTS includeSubdomains by default #1409

Merged
merged 1 commit into from
Jul 21, 2022
Merged

Disable HSTS includeSubdomains by default #1409

merged 1 commit into from
Jul 21, 2022

Conversation

swalkinshaw
Copy link
Member

@swalkinshaw swalkinshaw commented Jul 20, 2022
edited
Loading

Ref #741

This changes the default for HSTS' includeSubdomains value from true to false. Previously a user visiting a WordPress site would result in HSTS being enabled in their browser for all subdomains of the site's domain. Now HSTS will only apply to the hostnames activately managed by Trellis in the wordpress_sites.yml config.

This is a safer default since subdomains can frequently exist without SSL.

Note: this is a breaking change for anyone who never disabled this manually. Provisioning this change will result in subdomains being excluded from HSTS. If you want this behaviour, and we recommend it where possible, you'll need to manually opt back into it:

Per site:

# group_vars/production/wordpress_sites.yml (example)

example.com:
  # rest of site config
  ssl:
    enabled: true
    hsts_include_subdomains: true

Globally:

# group_vars/production/main.yml

nginx_hsts_include_subdomains: true

Docs update: roots/docs#417

@swalkinshaw swalkinshaw mentioned this pull request Jul 20, 2022
Closed
1 task
@swalkinshaw
Disable HSTS includeSubdomains by default
6c78027 
Ref #741

This changes the default for HSTS' `includeSubdomains` value from `true`
to `false`. Previously a user visiting a WordPress site would result in
HSTS being enabled in their browser for _all_ subdomains of the site's
domain. Now HSTS will only apply to the hostnames activately managed by
Trellis in the `wordpress_sites.yml` config.

This is a safer default since subdomains can frequently exist without
SSL.
@swalkinshaw swalkinshaw force-pushed the hsts-disable-include-subdomains-by-default branch from 28d1beb to 6c78027 Compare July 21, 2022 14:24
swalkinshaw added a commit to roots/docs that referenced this pull request Jul 21, 2022
@swalkinshaw
Update hsts_include_subdomains docs
e756940 
This reflects the new default in roots/trellis#1409
@swalkinshaw swalkinshaw mentioned this pull request Jul 21, 2022
Merged
swalkinshaw added a commit to roots/docs that referenced this pull request Jul 21, 2022
@swalkinshaw
Update hsts_include_subdomains docs
1f63532 
This reflects the new default in roots/trellis#1409
@swalkinshaw swalkinshaw merged commit 048e568 into master Jul 21, 2022
@swalkinshaw swalkinshaw deleted the hsts-disable-include-subdomains-by-default branch July 21, 2022 15:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tangrufus tangrufus tangrufus approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@swalkinshaw @tangrufus