[owncloud-devel] How to get rid of message:Security & setup warnings "Strict-Transport-Security" HTTP??

Arman Khalatyan arm2arm at gmail.com
Thu May 28 16:58:25 GMT 2015


Hi,
I just testing oc 8.1.x from today.
my setup is:
"debian8-haproxy"->"debian8->http single node"
Unfortunately i cannot get rid of the message in the admin part:

"The "Strict-Transport-Security" HTTP header is not configured to
least "2,678,400" seconds. This is a potential security risk and we
recommend adjusting this setting."

But even
https://www.ssllabs.com/ssltest shows
Strict Transport Security (HSTS) Yes   max-age=31536000; includeSubDomains

My Haproxy setup is following:
   reqadd X-Forwarded-Proto:\ https
   # Distinguish between secure and insecure requests
   acl secure dst_port eq 443
   # Mark all cookies as secure if sent over SSL
   rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure if secure
   # Add the HSTS header with a 1 year max-age
   rspadd Strict-Transport-Security:\ max-age=31536000;\
includeSubDomains if secure
   default_backend www-backend

How is this test is done?
Is this test failing with ssl truncation with haproxy?

thanks,
Arman.


***********************************************************

 Dr. Arman Khalatyan              eScience -SuperComputing
 Leibniz-Institut für Astrophysik Potsdam (AIP)
 An der Sternwarte 16, 14482 Potsdam, Germany

***********************************************************


More information about the Devel mailing list