Add HTTP redirect options

Description

Add some convenience settings to enable HSTS and/or redirect HTTP traffic to HTTPS.

  • enable HSTS header

  • Set max age

  • Set include subdomain

This could be done via a server rule, but it would be nice to have a structure in the server.json to control it

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

HSTS can be enabled manually right now with this server rule

 

You can also force a redirect from HTTP to HTTPS with this rule:


The “done” handler means no further predicates will be run. The HTTPS redirect rule should probably be appended to the START of the rules array so it overrides any custom rules. Note this is different than the other rules CommandBox auto-adds. The other rules are designed to be override-able, but I don’t think this one should be.

Activity

Show:
Balbino Aylagas
5 days ago
Edited

test 1 ssl disabled

result

test 2 ssl enabled

result

test 3 force ssl redirect

result

test 4 hsts enabled

result

test 5 hsts enabled without maxAge

result

test 6 hsts enabled and include sub domains

result

Fixed

Assignee

Balbino Aylagas

Reporter

Brad Wood

Labels

None

Affects versions

None

Fix versions

Priority

Major