Change Details

The "security.strict-transport-security" option does not behave as expected (as of ec12b710aac0d7f4d6c3bad0f1a8993e7f2d0f84 in phabricator). When this option is turned off, I am still getting a Strict-Transport-Security header, which looks like this: Strict-Transport-Security: max-age=0; includeSubdomains; preload When I toggle that option on, I get: Strict-Transport-Security: max-age=31536000; includeSubdomains; preload Toggling it to false returns me to the first header (max-age=0). When the option is false I expect phabricator to not send a header at all.

The "security.strict-transport-security" option does not behave as documented. When this option is turned off, Phabricator sends a Strict-Transport-Security header with a max-age of 0: Strict-Transport-Security: max-age=0; includeSubdomains; preload When turned on, it simply toggles the max-age: Strict-Transport-Security: max-age=31536000; includeSubdomains; preload This doesn't match the option documentation, which says: "Enable HTTP Strict Transport Security (HSTS)." Clicking on it, you see "HTTP Strict Transport Security (HSTS) sends a header..." Therefore, if the HSTS option is turned off, you would expect that header to *not* be sent...because turning it on "sends a header". The description of the option (both in the short-text and the longer description) should make it clear that the header is *always* sent and the option simply controls the set max-age.

The "security.strict-transport-security" option does not behave as expected (as of ec12b710aac0d7f4d6c3bad0f1a8993e7f2d0f84 in phabricator). When this option is turned off,documented. I am still getting a Strict-Transport-Security headerWhen this option is turned off, which looks like this:Phabricator sends a Strict-Transport-Security header with a max-age of 0: Strict-Transport-Security: max-age=0; includeSubdomains; preload When I toggle that option onturned on, I get:it simply toggles the max-age: Strict-Transport-Security: max-age=31536000; includeSubdomains; preload Toggling it to false returns me to the first header (max-age=0)his doesn't match the option documentation, which says: "Enable HTTP Strict Transport Security (HSTS)." Clicking on it, you see "HTTP Strict Transport Security (HSTS) sends a header..." Therefore, if the HSTS option is turned off, you would expect that header to *not* be sent...because turning it on "sends a header". When the option is false I expect phabricator to not send a header at allThe description of the option (both in the short-text and the longer description) should make it clear that the header is *always* sent and the option simply controls the set max-age.