saluzi
After upgrading to 1.9.0.beta3 , the SSL(Let’s Encrypt) rating has changed from A+ to A,the problem is HSTS.
Thanks very much
A partial archive of meta.discourse.org as of Tuesday July 18, 2017.
Let’s Encrypt problem after upgrading to 1.9.0.beta3
mpalmer
What is the problem with HSTS?
saluzi
Using the ssllabs.com query, HTTP Strict Transport Security (HSTS) with long duration deployed on this server this sentence disappears . Thank you.
mpalmer
The default HSTS configuration is compliant with the SSL Labs recommendations. What site are you testing, and what changes have you made to the default discourse_docker templates?
saluzi
I have nothing to change, completely default. My website is https://www.xxxx.com/
mpalmer
Your site is not sending an HSTS header at all. You’re also sending a header that was reverted from the default template nine days ago. Whatever you’re doing over there, it isn’t what we recommend.
codinghorror
Hmm, plausible, as I did a command line rebuild yesterday cc @falco.
mpalmer
Can confirm discourse.codinghorror.com is no longer sending a HSTS header at all:
$ wget -O /dev/null -S https://discourse.codinghorror.com -q
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 13 Jul 2017 22:04:15 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Discourse-Route: list/latest
Cache-Control: no-store, must-revalidate, no-cache, private
X-Discourse-Cached: true
X-Request-Id: f40d4ea9-375a-4a9e-b6e1-c7500ffa194f
X-Runtime: 0.002585
X-Discourse-TrackView: 1
Referrer-Policy: no-referrer-when-downgrade
Falco
Yeah, I made a mistake when I added the Referrer-Policy header.
nginx add_header lack of support for inheritance got me there.
Will fix soon.
mpalmer
Awwwwwwww yeah… we’ve all been to that circle of hell.
Falco
Rebuild a site to test this in action:
codinghorror