Simple way how to enable HTTP Strict Transport Security in Nette?
- Honza Kuchař
- Member | 1662
Security first.
Should be there some easy way how to enable HSTS in Nette application? I use it for all our services.
- Filip Procházka
- Moderator | 4668
Having an config option that would make nette send the header and propagate
the Route::SECURED flag to all routes would be nice. There could be
new flag for app\request that will force the router to add https://
even if the flag is not set.
- Jan Tvrdík
- Nette guru | 2595
Maybe to you but not to me. There is no standard (interface) way to set
Route::SECURED flag.
- Filip Procházka
- Moderator | 4668
@JanTvrdík that's why I mentioned the App\Request that
could deliver the flag to the Route.
- Honza Kuchař
- Member | 1662
@Milo Default flags are only part of thing. There must be also sent header informing browser for how long it should use https-only. E.g.:
Strict-Transport-Security: max-age:31536000; includeSubDomains
- Honza Kuchař
- Member | 1662
Sure, that is what I do, but I do not think that it is the most clean way how it can be done.
Because where there is any rote without Route::SECURED flag you get infinite redirection loop. I think there should be some support from side of the framework.