Forum

Hello Hugo,

After doing a little reading on the HTTP strict transport security header, I noticed that my Hiawatha-served SSL/TLS sites’ responses already have a 'Strict-Transport-Security: max-age=31536000' header. A couple of questions:

1. Under what circumstances is this header applied? (I'm using RequireSSL, but I suppose the header may be applied to all SSL sites.)

2. If PHP sends a new 'Strict-Transport-Security' header with a value such as 'max-age=86400; includeSubDomains', should this new value take effect okay?

Many thanks.

The header is sent when RequiredSSL is set to 'yes'. Hiawatha ignores any such header sent by PHP, so you'll end up with two headers if done so.

Thanks - that's good to know.

Is it impossible to prevent Hiawatha from setting that header via PHP? I suspect not, and that I'd need to turn RequireSSL off if a custom value is required?

Indeed. Turn off RequiredSSL and check for usage of HTTPS in your PHP code:
$_SERVER["HTTPS"] = "on" / "off"
$_SERVER["HTTP_SCHEME"] = "http" / "https"

Righty-ho. Thanks!