Actions
Issue #7804
closedDefault to enabling HSTS even for self-signed certificates, offer a knob to disable it
Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
Installer - Moved to GitHub issues
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
OS:
Triaged:
No
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Quarter:
Description
Currently we only enable HSTS when a user provides a certificate. This is 'technically' the right approach given HSTS aims to prevent a MITM attack.
However some users/customers run security/vuln scan against their deployed tools, and HSTS is one of the item that is often check.
If deployed out-of-the-box, the HSTS check will fail. To offer user/customer a better experience, even if using self-signedd certificate we should default to enabling HSTS (and offer a knob to disable it for valid reasons[1])
Actions
pulp_webserver: Allow one to decide HSTS enablement via a knob
fixes #7804