You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
To enable HSTS for a resource, we have to send a extra header entry.
In most cases the responsibility for sending extra headers lies by the backend service, but because the ingress controller is already responsible for SSL termination it would be nice to configure HSTS in the ingress object itself.
As far as I was able to see there is no reason to exclude the 'preload' directive, because it is ignored if the hostname is not in the HSTS preload list: https://hstspreload.appspot.com/
Open for discussion is the default 'max-age' in the header entry.
The text was updated successfully, but these errors were encountered:
If a UA receives more than one STS header field in an HTTP
response message over secure transport, then the UA MUST process
only the first such header field.
In case of multiple STS headers, the browser must use the first one. So the one set by the backend will be used if the backend also sets this header.
To enable HSTS for a resource, we have to send a extra header entry.
In most cases the responsibility for sending extra headers lies by the backend service, but because the ingress controller is already responsible for SSL termination it would be nice to configure HSTS in the ingress object itself.
Will result in the following config entry for servers with ssl enabled:
As far as I was able to see there is no reason to exclude the 'preload' directive, because it is ignored if the hostname is not in the HSTS preload list:
https://hstspreload.appspot.com/
Open for discussion is the default 'max-age' in the header entry.
The text was updated successfully, but these errors were encountered: