Add HSTS middleware #905
Add HSTS middleware #905
Conversation
This header is entirely useless for us because the header is aimed at browsers, but some scanners still think this is needed. Link: https://www.tenable.com/plugins/nessus/142960
|
Why not merging this? If it will make people shut up, I'm all for it. |
I am, sadly, in the same boat as this. While I detest that scanners force us into these situations, I also feel for our users and a small change that improves their experience gets my vote. |
|
I appreciate you taking the time to create a PR as a potential solution. As others have mentioned it seems like a simple fix to make the customer experience better. |
|
I'm still tempted to detect the Nessus user agent and simply reject them to silence it. Another option is to only send it to Nessus, just to shut it up. If we want merge this, we need to be compliant with the RFC and only send it when the connection is over TLS (RFC 6797 section 5.1). It's also good to add some tests to this. |
This header is entirely useless for us because the header is aimed at browsers, but some scanners still think this is needed.
This PR is not intended to be merged, but only serve as an example for how it could be implemented.
Link: https://www.tenable.com/plugins/nessus/142960