Skip to content

harden_server.rst: larger HSTS max-age value #12596

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

harden_server.rst: larger HSTS max-age value #12596

wants to merge 1 commit into from

Conversation

xalt7x
Copy link

@xalt7x xalt7x commented Feb 6, 2025

Nowadays, the common recommendation is to set HTTP Strict Transport Security max-age value to at least 1 year.
It's also min. acceptable value for preload lists.
Please see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security#preload

☑️ Resolves

  • Fix #…

🖼️ Screenshots

@xalt7x
harden_server.rst: larger HSTS max-age value
0a54719 
Nowadays, the common recommendation is to set HTTP Strict Transport Security max-age value to at least 1 year.
It's also min. acceptable value for preload lists.  
Please see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security#preload

Signed-off-by: Yevhen Popok <[email protected]>
@susnux susnux requested a review from nickvergessen February 12, 2025 12:49
@github-actions GitHub Actions
Copy link
Contributor

Hello there,
Thank you so much for taking the time and effort to create a pull request to our Nextcloud project.

We hope that the review process is going smooth and is helpful for you. We want to ensure your pull request is reviewed to your satisfaction. If you have a moment, our community management team would very much appreciate your feedback on your experience with this PR review process.

Your feedback is valuable to us as we continuously strive to improve our community developer experience. Please take a moment to complete our short survey by clicking on the following link: https://cloud.nextcloud.com/apps/forms/s/i9Ago4EQRZ7TWxjfmeEpPkf6

Thank you for contributing to Nextcloud and we hope to hear from you soon!

(If you believe you should not receive this message, you can add yourself to the blocklist.)

nickvergessen
nickvergessen approved these changes Feb 21, 2025
View reviewed changes
Copy link
Member

@nickvergessen nickvergessen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should then also adjust in server:
https://github.com/nextcloud/server/blob/9836e9b16484582d309c8437ab46d82e34956941/apps/settings/lib/SetupChecks/SecurityHeaders.php#L102-L112

@xalt7x xalt7x mentioned this pull request Feb 25, 2025
Closed
joshtrichards
joshtrichards reviewed Feb 25, 2025
View reviewed changes
Copy link
Member

@joshtrichards joshtrichards left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not adverse to changing it to 1 year in the docs, but not sure about adjusting our setup check as I commented over there.

Note: Needs to be updated in the docs that cover Nginx too at same time.

@xalt7x
Copy link
Author

xalt7x commented Feb 25, 2025
edited
Loading

@joshtrichards ,
Well, this value is recommended by many companies, including Google and Microsoft. Though it really generally comes alongside with recommendation to use preload.
If this value has no use (and even more so breaking) for server, then I guess I shouldn't change it in documentation as it will create inconsistency...

@xalt7x xalt7x closed this Mar 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joshtrichards joshtrichards joshtrichards left review comments

@nickvergessen nickvergessen nickvergessen approved these changes

Assignees
No one assigned
Labels
enhancement feature: settings feedback-requested manual: admin security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@xalt7x @nickvergessen @joshtrichards @susnux