mastoadmin
can someone tell me why ssl labs says this instance is sending multiple hsts headers when there's only one in my config #mastoadmins
only changes I made were the appropriate domain and cert lines. all the crazy ssl/cipher/header stuff is the same.
specifically, I added "includeSubDomains" but this invalid header thing was happening even before I added that directive to it
mastoadmin
There's a known issue with Nginx where the HSTS header can be sent multiple times, but when I run the SSL Labs test, I'm not seeing that error pop up. Where are you seeing it?
mastoadmin
@trashyfins Woops. I tested the wrong instance name. I see it.
https://github.com/nginxinc/kubernetes-ingress/issues/86
nginx will send its own HSTS header even if the application is configured to send its own, and that's expected behavior, apparently.
re: mastoadmin
@churusaa oh that is right. I didn't think it was that literal with it.. idky.
I'm both mad and fine with this
re: mastoadmin
@trashyfins Possibly relevant would be changing "header add" to "header set", and define the whole header instead of appending an HSTS header to a response that might already include one. https://stackoverflow.com/questions/47050302/set-hsts-header-in-htaccess-if-already-isnt-present
re: mastoadmin
@churusaa apparently adding proxy_hide_header Strict-Transport-Security right before the add_header worked. ssllabs gave me treats now
thanks for the tip btw :3 β¨
and for helping in general. aaaaaaaAAAAA
re: mastoadmin
@trashyfins 
I'm glad you got that figured out.
