Stop setting Strict-Transport-Securty header from within the app
This commit is contained in:
parent
a9a581567c
commit
76e96878aa
4 changed files with 31 additions and 4 deletions
|
@ -122,10 +122,6 @@ class ApplicationController < ActionController::Base
|
||||||
headers['X-XSS-Protection'] = '1; mode=block'
|
headers['X-XSS-Protection'] = '1; mode=block'
|
||||||
headers['X-UA-Compatible'] = 'IE=edge'
|
headers['X-UA-Compatible'] = 'IE=edge'
|
||||||
headers['X-Content-Type-Options'] = 'nosniff'
|
headers['X-Content-Type-Options'] = 'nosniff'
|
||||||
# Enabling HSTS for non-standard ports would send clients to the wrong port
|
|
||||||
if Gitlab.config.gitlab.https && Gitlab.config.gitlab.port == 443
|
|
||||||
headers['Strict-Transport-Security'] = 'max-age=31536000'
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def validate_user_service_ticket!
|
def validate_user_service_ticket!
|
||||||
|
|
4
changelogs/unreleased/3440-remove-hsts-header.yml
Normal file
4
changelogs/unreleased/3440-remove-hsts-header.yml
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
title: Stop setting Strict-Transport-Securty header from within the app
|
||||||
|
merge_request:
|
||||||
|
author:
|
24
doc/update/8.17-to-9.0.md
Normal file
24
doc/update/8.17-to-9.0.md
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
#### Nginx configuration
|
||||||
|
|
||||||
|
Ensure you're still up-to-date with the latest NGINX configuration changes:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
cd /home/git/gitlab
|
||||||
|
|
||||||
|
# For HTTPS configurations
|
||||||
|
git diff origin/8-17-stable:lib/support/nginx/gitlab-ssl origin/9-0-stable:lib/support/nginx/gitlab-ssl
|
||||||
|
|
||||||
|
# For HTTP configurations
|
||||||
|
git diff origin/8-17-stable:lib/support/nginx/gitlab origin/9-0-stable:lib/support/nginx/gitlab
|
||||||
|
```
|
||||||
|
|
||||||
|
If you are using Strict-Transport-Security in your installation to continue using it you must enable it in your Nginx
|
||||||
|
configuration as GitLab application no longer handles setting it.
|
||||||
|
|
||||||
|
If you are using Apache instead of NGINX please see the updated [Apache templates].
|
||||||
|
Also note that because Apache does not support upstreams behind Unix sockets you
|
||||||
|
will need to let gitlab-workhorse listen on a TCP port. You can do this
|
||||||
|
via [/etc/default/gitlab].
|
||||||
|
|
||||||
|
[Apache templates]: https://gitlab.com/gitlab-org/gitlab-recipes/tree/master/web-server/apache
|
||||||
|
[/etc/default/gitlab]: https://gitlab.com/gitlab-org/gitlab-ce/blob/9-0-stable/lib/support/init.d/gitlab.default.example#L38
|
|
@ -82,6 +82,9 @@ server {
|
||||||
##
|
##
|
||||||
# ssl_dhparam /etc/ssl/certs/dhparam.pem;
|
# ssl_dhparam /etc/ssl/certs/dhparam.pem;
|
||||||
|
|
||||||
|
## [Optional] Enable HTTP Strict Transport Security
|
||||||
|
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
|
||||||
|
|
||||||
## Individual nginx logs for this GitLab vhost
|
## Individual nginx logs for this GitLab vhost
|
||||||
access_log /var/log/nginx/gitlab_access.log;
|
access_log /var/log/nginx/gitlab_access.log;
|
||||||
error_log /var/log/nginx/gitlab_error.log;
|
error_log /var/log/nginx/gitlab_error.log;
|
||||||
|
|
Loading…
Reference in a new issue