WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 2 years ago

#28520 closed enhancement (maybelater)

Mechanism for sending an HSTS header

Reported by: johnbillion Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords: https
Focuses: Cc:
PR Number:

Description

As per the comments on https://make.wordpress.org/core/2014/06/11/ssl-taskforce/, we should introduce a new constant which enables sending an HSTS header.

The value would act as the value of the max-age parameter in the header, or would default to a sane value (probably one year) if it's set to boolean true.

Patch coming up.

Related: #27954.

Attachments (1)

28520.dff (1.3 KB) - added by tollmanz 5 years ago.
Initial implementation of HSTS headers

Download all attachments as: .zip

Change History (11)

@tollmanz
5 years ago

Initial implementation of HSTS headers

#2 @tollmanz
5 years ago

This patch just adds the header definitions, but does not actually set them. I'm a little confused as to where WordPress needs to set headers.

To enable, you need to add something like the following in wp-config.php:

define( 'ENABLE_HSTS', 12345 );

You can turn it off by setting it to 0.

I think that since this is "the" place that devs will be encouraged to handle HSTS headers, we should all for adding the includeSubDomains value. Not sure how to do this though.

#3 follow-up: @tollmanz
5 years ago

I'm finding some flaws in the constant based method. Let's suppose that you run a subdomain MS installation. The constant method would set an HSTS header for each site, although it may only be intended for the primary domain or one of the other domains. Certainly, this can be filtered out at another level, but perhaps the constant is a bad way to get started on this issue.

#4 in reply to: ↑ 3 @johnbillion
5 years ago

Replying to tollmanz:

Let's suppose that you run a subdomain MS installation. The constant method would set an HSTS header for each site, although it may only be intended for the primary domain or one of the other domains.

Yeah. The same issue applies if your admin area uses a different domain from the front end too. I've got a patch brewing for this which I'll upload in the next day or two.

#5 @johnbillion
5 years ago

  • Milestone changed from 4.0 to Future Release

There are quite a few potential complications here. Bumping this to 4.1.

#6 @chriscct7
4 years ago

@johnbillion want to take a look at this?

#7 @johnbillion
4 years ago

Same as #28424, this should be dependent on #28521.

#8 @johnbillion
4 years ago

  • Keywords https added

#9 @ocean90
3 years ago

  • Type changed from task (blessed) to enhancement

#10 @johnbillion
2 years ago

  • Milestone Future Release deleted
  • Resolution set to maybelater
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.