Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not possible to set custom value for Strict-Transport-Security header #703

Open
divanov-softserve opened this issue Jul 19, 2024 · 1 comment
Open

Not possible to set custom value for Strict-Transport-Security header #703

divanov-softserve opened this issue Jul 19, 2024 · 1 comment

Comments

@divanov-softserve
Copy link

Hi I want to set a response header Strict-Transport-Security = "max-age=31536000; includeSubDomains";
By default the header is present, but missing the includeSubDomains portion.
Based on my understanding of the feature I've created a simple custom VCL within Adobe Commerce Cloud admin panel.
custom vcl is set to deliver with priority 10000000
content: set resp.http.Strict-Transport-Security = "max-age=31536000; includeSubDomains";
Everything uploaded and cache cleaned, response header is still missing includeSubDomains
On further examination the active VCL contains a subsequent call that overrides the custom VCL and it's executed as a last step before the deliver.

...
# Snippet magentomodule_strictTransportLast : 10000000
set resp.http.Strict-Transport-Security = "max-age=31536000; includeSubDomains";

  #default response conditions


# Header rewrite Enable HSTS : 100


      set resp.http.Strict-Transport-Security = "max-age=31557600";


#--FASTLY DELIVER END
  return(deliver);
}

In Adobe Commerce panel Fastly module Advanced configuration, Force TLC is set to disabled.

Fastly module: 1.2.219
Adobe Commerce Cloud: 2.4.7-p1
@divanov-softserve
Copy link
Author

divanov-softserve commented Jul 23, 2024
edited
Loading

To follow on my own issue. The rewrite is done based on a Header object that exists by default in your service configuration. There is no mention about it in the Fastly Magento module, nor the capability to change it.
Fortunately it's doable by the Fastly API:
Check your header details. If name is different list all headers first.
GET {{url}}/service/{{service_id}}/version/{{version_no}}/header/Enable HSTS
Clone your current version so you are able to edit it
PUT {{url}}/service/{{service_id}}/version/{{version_no}}/clone
Do your changes on the header add the body here accordingly
PUT {{url}}/service/{{service_id}}/version/{{version_no}}/header/Enable HSTS
Activate your newly cloned version
PUT {{url}}/service/{{service_id}}/version/{{version_no}}/activate
Full postman collection is available on Fastly website.
It will be nice if those headers are configurable from admin panel Fastly, or as a minimum add to the module documentation the list of defaults injected to the vcl it will help a lot.
Feel free to close the issue once someone at Fastly acknowledges it, thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@divanov-softserve