Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Drop the Strict-Transport-Security response header #1984

Merged
merged 2 commits into from
Jan 4, 2023
Merged

Conversation

Tratcher
Copy link
Member

@Tratcher Tratcher commented Jan 4, 2023

Fixes #1862

Strict-Transport-Security is a per-hop response header. Since we terminate TLS, we should not proxy this header.

@Tratcher Tratcher added this to the YARP 2.0.0 milestone Jan 4, 2023
@Tratcher Tratcher requested a review from MihaZupan as a code owner January 4, 2023 01:11
@Tratcher Tratcher self-assigned this Jan 4, 2023
@Kahbazi
Copy link
Collaborator

Kahbazi commented Jan 4, 2023

Should the doc be updated as well to include this header? https://github.com/microsoft/reverse-proxy/blob/4f46326e6a73ecc1785bc07040491600ba2d312b/docs/docfx/articles/header-guidelines.md#yarp-header-filtering

Copy link
Member

@MihaZupan MihaZupan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you update

private static readonly HashSet<string> _headersToExclude = new(17, StringComparer.OrdinalIgnoreCase)

to 18 as well?

@Tratcher Tratcher enabled auto-merge (squash) January 4, 2023 18:30
@Tratcher Tratcher merged commit f26d0f1 into main Jan 4, 2023
@Tratcher Tratcher deleted the tratcher/sts branch January 4, 2023 18:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Duplicated Strict-Transport-Security response header
3 participants