Mechanism for sending an HSTS header

[johnbillion]

As per the comments on ​https://make.wordpress.org/core/2014/06/11/ssl-taskforce/, we should introduce a new constant which enables sending an ​HSTS header.

The value would act as the value of the max-age parameter in the header, or would default to a sane value (probably one year) if it's set to boolean true.

Patch coming up.

Related: #27954.

[johnbillion]

Related: #28521

[tollmanz]

Initial implementation of HSTS headers

[tollmanz]

This patch just adds the header definitions, but does not actually set them. I'm a little confused as to where WordPress needs to set headers.

To enable, you need to add something like the following in wp-config.php:

define( 'ENABLE_HSTS', 12345 );

You can turn it off by setting it to 0.

I think that since this is "the" place that devs will be encouraged to handle HSTS headers, we should all for adding the includeSubDomains value. Not sure how to do this though.

[tollmanz]

I'm finding some flaws in the constant based method. Let's suppose that you run a subdomain MS installation. The constant method would set an HSTS header for each site, although it may only be intended for the primary domain or one of the other domains. Certainly, this can be filtered out at another level, but perhaps the constant is a bad way to get started on this issue.

[johnbillion]

Replying to tollmanz:

Let's suppose that you run a subdomain MS installation. The constant method would set an HSTS header for each site, although it may only be intended for the primary domain or one of the other domains.

Yeah. The same issue applies if your admin area uses a different domain from the front end too. I've got a patch brewing for this which I'll upload in the next day or two.

[johnbillion]

There are quite a few potential complications here. Bumping this to 4.1.

[chriscct7]

@johnbillion want to take a look at this?

[johnbillion]

Same as #28424, this should be dependent on #28521.