Stop setting Strict-Transport-Securty header from within the app

76e96878 · Paweł Chojnacki · Marin Jankovski · a9a58156 · 76e96878 · 76e96878
4 changed file
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -122,10 +122,6 @@ class ApplicationController < ActionController::Base
    headers['X-XSS-Protection'] = '1; mode=block'
    headers['X-UA-Compatible'] = 'IE=edge'
    headers['X-Content-Type-Options'] = 'nosniff'
-    # Enabling HSTS for non-standard ports would send clients to the wrong port
-    if Gitlab.config.gitlab.https && Gitlab.config.gitlab.port == 443
-      headers['Strict-Transport-Security'] = 'max-age=31536000'
-    end
  end

  def validate_user_service_ticket!

--- a/changelogs/unreleased/3440-remove-hsts-header.yml
+++ b/changelogs/unreleased/3440-remove-hsts-header.yml
+---
+title: Stop setting Strict-Transport-Securty header from within the app
+merge_request:
+author:
--- a/doc/update/8.17-to-9.0.md
+++ b/doc/update/8.17-to-9.0.md
+#### Nginx configuration
+
+Ensure you're still up-to-date with the latest NGINX configuration changes:
+
+```sh
+cd /home/git/gitlab
+
+# For HTTPS configurations
+git diff origin/8-17-stable:lib/support/nginx/gitlab-ssl origin/9-0-stable:lib/support/nginx/gitlab-ssl
+
+# For HTTP configurations
+git diff origin/8-17-stable:lib/support/nginx/gitlab origin/9-0-stable:lib/support/nginx/gitlab
+```
+
+If you are using Strict-Transport-Security in your installation to continue using it you must enable it in your Nginx 
+configuration as GitLab application no longer handles setting it.
+
+If you are using Apache instead of NGINX please see the updated [Apache templates].
+Also note that because Apache does not support upstreams behind Unix sockets you
+will need to let gitlab-workhorse listen on a TCP port. You can do this
+via [/etc/default/gitlab].
+
+[Apache templates]: https://gitlab.com/gitlab-org/gitlab-recipes/tree/master/web-server/apache
+[/etc/default/gitlab]: https://gitlab.com/gitlab-org/gitlab-ce/blob/9-0-stable/lib/support/init.d/gitlab.default.example#L38
--- a/lib/support/nginx/gitlab-ssl
+++ b/lib/support/nginx/gitlab-ssl
@@ -82,6 +82,9 @@ server {
  ##
  # ssl_dhparam /etc/ssl/certs/dhparam.pem;

+  ## [Optional] Enable HTTP Strict Transport Security
+  # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
+
  ## Individual nginx logs for this GitLab vhost
  access_log  /var/log/nginx/gitlab_access.log;
  error_log   /var/log/nginx/gitlab_error.log;