HSTS Preload
-
It would be nice to have a way to modify the default nginx headers of WordPress Apps.
By default, WordPress Apps in Cloudron have the header "strict-transport-security: max-age=63072000". You can find a screenshot below and the reference in here: https://git.cloudron.io/cloudron/box/-/blob/master/src/nginxconfig.ejs#L98
This feature request would be useful in several ways; one of them is because there are simple requirements to submit a domain to the HSTS Preload List. The requirements are adding the "strict-transport-security" header with:
- The max-age must be at least 31536000 seconds (1 year).
- The includeSubDomains directive must be specified.
- The preload directive must be specified.
Using a WordPress plugin I added the required header, but then I would have 2 "strict-transport-security" headers that would result in an "ineligibility" status by submitting the HSTS Preload form.
Please comment if you think I missed something or want to add something to this request. Thanks for reading!
This is a screenshot of our website's headers using Chrome Tools:
-
The requirements are here https://hstspreload.org/ .
I think instead of making something generic, we can possible just add a checkbox say "Enable HSTS Preload" or something.
