I want SSL only without HSTS

[ianeiloart]

I want a back-out path from ssl-only. Currently, if I deploy SSL only HSTS headers get issued, which mean I have no way to back out if I have problems with certificate renewal or spot a problem with the way the SSL site renders

So, maybe I could make a file
config/ssl-only-no-sts
to get ssl throughout the site, and when I'm confident that I can commit to this configuration, then deploy STS.

[patch0]

That can be fixed by setting the header to zero in the apache config snippet.

So in /etc/apache2/sites-enabled/my-brilliant-site.com.conf change

Header always set Strict-Transport-Security "max-age=15768000"

to

Header always set Strict-Transport-Security "max-age=0"

and reload apache.

service apache2 reload

This will inform the clients that they should stop regarding the site as one that uses HSTS.

[jamielinux]

So, best practice for enabling SSL for a website (regardless of Symbiosis or not) is:

1. Run SSL and non-SSL side-by-side.
2. Force redirect from non-SSL to SSL.
3. Enable HSTS with a long max age (eg, 6 months).

Symbiosis compresses (2) and (3) into one step. This isn't ideal; if you've got problems with SSL and need to go back to non-SSL, the HSTS header makes this kind of hard. Visitors coming back won't be able to access the non-SSL site unless you change the template to specify max-age=0. (Changing templates is something we don't want most Symbiosis customers to have to worry about. Also HSTS is an area of lots of confusion.)

Patrick's suggestion is to have the Symbiosis SSL vhost template publish the max-age=0 HSTS header by default when ssl-only is off. This solves the problem nicely. MR to follow.