From e8c469cd0780a054150e8b7ed79bc7295b7976e4 Mon Sep 17 00:00:00 2001 From: Samuel Spiza <115639+samuelspiza@users.noreply.github.com> Date: Sun, 22 Jun 2025 12:10:44 +0200 Subject: [PATCH 1/2] traefik: use built-in HSTS max-age option Instead of defining a cutom header, make use of the built-in option to add the HSTS max-age. This addresses issue #339 "Use built-in HSTS options for traefik". --- src/js/helpers/traefik.js | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/js/helpers/traefik.js b/src/js/helpers/traefik.js index 6b39b382..238723fe 100644 --- a/src/js/helpers/traefik.js +++ b/src/js/helpers/traefik.js @@ -42,8 +42,7 @@ export default (form, output) => { ' [http.middlewares.redirect-to-https.redirectScheme]\n'+ ' scheme = "https"\n'+ ' [http.middlewares.hsts-header.headers]\n'+ - ' [http.middlewares.hsts-header.headers.customResponseHeaders]\n'+ - ' Strict-Transport-Security = "max-age='+output.hstsMaxAge+'"\n'; + ' stsSeconds = '+output.hstsMaxAge+'\n'; } conf += From 7beb317d63fca4bb0e9ffa3863b97fcb5eac7ee0 Mon Sep 17 00:00:00 2001 From: Samuel Spiza <115639+samuelspiza@users.noreply.github.com> Date: Sun, 22 Jun 2025 12:12:30 +0200 Subject: [PATCH 2/2] traefik: add commented out HSTS directives Add commented out versions of stsIncludeSubdomains and stsPreload to make it easier to fully configure the HSTS header with the built-in configuration options. This addresses issue #339 "Use built-in HSTS options for traefik". --- src/js/helpers/traefik.js | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/js/helpers/traefik.js b/src/js/helpers/traefik.js index 238723fe..022c4db7 100644 --- a/src/js/helpers/traefik.js +++ b/src/js/helpers/traefik.js @@ -43,6 +43,11 @@ export default (form, output) => { ' scheme = "https"\n'+ ' [http.middlewares.hsts-header.headers]\n'+ ' stsSeconds = '+output.hstsMaxAge+'\n'; + ' # Depending on your configuration you might want to also enable "includeSubDomains"\n'; + ' # and "preload". More infos about these directives can be found at\n'; + ' # https://infosec.mozilla.org/guidelines/web_security#http-strict-transport-security\n'; + ' #stsIncludeSubdomains = true\n'; + ' #stsPreload = true\n'; } conf +=