Allow customisation of HTTP Strict Transport Security headers

Discussion in 'Feature Requests' started by Robert Chipperfield, May 27, 2022.

  1. Robert Chipperfield

    Robert Chipperfield New Member

    May 27, 2022
    Likes Received:
    Currently, if LiquidFiles is set to only allow HTTPS access, it sets a Strict-Transport-Security HTTP header with a max-age of a year, but without the includeSubDomains flag.

    To avoid the risk of another site on a subdomain of the LF installation that doesn't send HSTS headers from potentially exposing cookies set on the LF domain over HTTP, it's recommended that HSTS headers should use the includeSubDomains flag where possible.

    I realise this brings some risk if it is incorrectly configured when sites on subdomains do not listen on HTTPS, so I'm not suggesting this be enabled by default.

    Perhaps it could be an option, alongside the "HTTP or HTTPS" settings, with a suitable "here be dragons" warning?

    I suspect for most installations, there won't be any subdomains under the LF installation (e.g. is unlikely to have exist and not also listening on HTTPS).

Share This Page