#13609 closed Bug/Something is broken (fixed)

Share.mayfirst.org HTST header issue

Reported by: https://id.mayfirst.org/wolcen Owned by: https://id.mayfirst.org/jamie
Priority: Medium Component: Tech
Keywords: nextcloud htst Cc:
Sensitive: no


Requests received from share.mayfirst.org have a HTTP-header for Strict-Transport-Security that appears to be invalid. Firefox complains with Strict-Transport-Security: The site specified a header that could not be parsed successfully. errors on the console.

An example value for the header currently is: Strict-Transport-Security max-age=15768000; # includeSubDomains; preload;

Presumably, someone wanted to comment something somewhere that comments are not honored.

Chrome appears not to issue any warning and doesn't even display the header, but I did verify with chromium --disable-extensions that the header was not injected by an add-on.

Change History (3)

comment:1 Changed 10 months ago by https://id.mayfirst.org/jaimev

  • Owner set to https://id.mayfirst.org/jamie
  • Status changed from new to assigned

Let's get jamie to look at this.

comment:2 Changed 10 months ago by https://id.mayfirst.org/jamie

  • Resolution set to fixed
  • Status changed from assigned to feedback

Thanks for the alert - indeed, a typo in the nginx configuration that should now be fixed.

I still see some errors in the console - but the hsts one should no longer be there.

comment:3 Changed 10 months ago by https://id.mayfirst.org/wolcen

  • Status changed from feedback to closed

Looks good! I originally came across this given failure to share a calendar and am still having issues, but will open a new ticket for that when I figure out more details first.

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.