Misskey: Allow option to disable sending HSTS headers even if https:// is used in url

Created on 16 Oct 2018  ·  4Comments  ·  Source: syuilo/misskey

Summary

Allow option to disable sending HSTS headers even if https:// is used

I'm using a webserver as proxy which does HTTPS and HSTS, Misskey is communicating in HTTP with the webserver. But I have set "url" to https:// so that images etc. internally are HTTPS and do not need to be rewritten by the webserver every time. This works fine that way but it sends a duplicate HSTS header.

https://github.com/syuilo/misskey/blob/80daf7c749298b72cd5722f81bcb8c9c543b3c52/src/server/index.ts#L44

Maybe a new option "hsts: false" in the config? That would be enough.

⚙️Server
Source
picture incognico
👍1

All 4 comments

Thank you for your suggestion.
I will implement it!

syuilo picture syuilo on 16 Oct 2018
👍1

Weird, I can't login anymore now. But it is regardless of the disableHsts setting.

It says wrong user/pass but its correct.

Error 500 for POST to /api/signin

  Error: Cannot send secure cookie over unencrypted connection
      at Cookies.set (/usr/home/misskey/misskey/node_modules/cookies/index.js:94:11)
      at Object.default_1 [as default] (/usr/home/misskey/misskey/built/server/api/common/signin.js:6:17)
      at exports.default (/usr/home/misskey/misskey/built/server/api/private/signin.js:64:29)

Did I break something? D:

incognico picture incognico on 16 Oct 2018

I just disabled secure flag in v10.22.1

syuilo picture syuilo on 16 Oct 2018
1

Awesome, works!

incognico picture incognico on 16 Oct 2018
🎉1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

syuilo picture syuilo  ·  3Comments
tamaina picture tamaina  ·  3Comments
tamaina picture tamaina  ·  3Comments
tosuke picture tosuke  ·  3Comments
syuilo picture syuilo  ·  3Comments