You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I want a back-out path from ssl-only. Currently, if I deploy SSL only HSTS headers get issued, which mean I have no way to back out if I have problems with certificate renewal or spot a problem with the way the SSL site renders
So, maybe I could make a file
config/ssl-only-no-sts
to get ssl throughout the site, and when I'm confident that I can commit to this configuration, then deploy STS.
The text was updated successfully, but these errors were encountered:
So, best practice for enabling SSL for a website (regardless of Symbiosis or not) is:
Run SSL and non-SSL side-by-side.
Force redirect from non-SSL to SSL.
Enable HSTS with a long max age (eg, 6 months).
Symbiosis compresses (2) and (3) into one step. This isn't ideal; if you've got problems with SSL and need to go back to non-SSL, the HSTS header makes this kind of hard. Visitors coming back won't be able to access the non-SSL site unless you change the template to specify max-age=0. (Changing templates is something we don't want most Symbiosis customers to have to worry about. Also HSTS is an area of lots of confusion.)
Patrick's suggestion is to have the Symbiosis SSL vhost template publish the max-age=0 HSTS header by default when ssl-only is off. This solves the problem nicely. MR to follow.
I want a back-out path from ssl-only. Currently, if I deploy SSL only HSTS headers get issued, which mean I have no way to back out if I have problems with certificate renewal or spot a problem with the way the SSL site renders
So, maybe I could make a file
config/ssl-only-no-sts
to get ssl throughout the site, and when I'm confident that I can commit to this configuration, then deploy STS.
The text was updated successfully, but these errors were encountered: