Allow Option to set HSTS headers on redirect to IdP

Created on 3 August 2020, over 4 years ago
Updated 20 August 2024, 8 months ago

Problem/Motivation

Some hosts (such as Acquia) do not allow you to set HSTS headers with .htaccess or other Apache mechanisms. This means that the code needs to be responsible for setting it. Also, simplesamlphp is a supported SAML platform for Acquia.

Acquia recommends the use of the " Security Kit β†’ " module in order to set this. This has the benefit of setting it on every page on the site. However, because this module interrupts Drupal's bootstrapping simplesamlphp_auth redirects you to the IdP before seckit has a chance to respond.

Steps to reproduce

On any site with this module installed, enabled, and configured:

Note: If you want to confirm that seckit is not setting the HSTS headers, have that installed and configured first.

  1. Ensure you have the "Inspect" debugging features turned on your browser, and have "Preserve Log" enabled so that it doesn't clear upon redirects.
  2. Go to /user/login
  3. Find the redirect to the IdP, and inspect the headers. You'll see that no HSTS is set.

Proposed resolution

Provide an optional integration with the Security Kit module to set the HSTS headers, as well as any other relevant headers that Security Kit allows you to set.

Security Kit has a large installed base, and is one of Acquia's recommended modules to set HSTS.

Remaining tasks

[ ] Determine if this integration is worthwhile.
[ ] If it is worthwhile, what is the integration approach?

User interface changes

TBD - Depends on integration approach.

API changes

TBD - Depends on integration approach.

Data model changes

None expected.

✨ Feature request
Status

Active

Version

3.2

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States partyka

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • πŸ‡ΊπŸ‡ΈUnited States pbabin

    For those of you in Acquia Cloud Site Factory seeing this feature request, you can set a Strict-Transport-Security header using a factory hook and this won't be an issue.

Production build 0.71.5 2024