View Issue Details

IDProjectCategoryView StatusLast Update
0012881mantisbtsecuritypublic2016-09-05 01:19
ReporterdhxAssigned Todhx 
PrioritynormalSeveritymajorReproducibilityN/A
Status closedResolutionfixed 
Product Version1.2.15 
Target Version1.3.0-beta.1Fixed in Version1.3.0-beta.1 
Summary0012881: Add support for Strict-Transport-Security header
Description

When a MantisBT session is loaded in a secure browser session, tell the user browser to always use a secure connection on future visits.

See http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security for a full description of what this HTTP header achieves.

TagsNo tags attached.

Relationships

related to 0015721 closedgrangeway Functionality to consider porting to master-2.0.x 
related to 0021262 closeddregad Invalid Strict-Transport-Security header when server would already send it anyway 

Activities

grangeway

grangeway

2013-04-05 17:57

reporter   ~0036462

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

Related Changesets

MantisBT: master 583cdbd8

2011-03-25 10:28:09

dhx

Details Diff
Issue 0012881: Support Strict-Transport-Security header

See http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security for a
full description of what this header achieves.
mod - core/http_api.php Diff File

MantisBT: master-1.3.x 2e7fac44

2016-09-01 10:30:18

dregad


Committer: vboctor Details Diff
Do not set HSTS header

Enabling HTTP Strict-Transport-Security should be a decision made by the
system administrator, and implemented at server level, probably
site-wide and not just for MantisBT's PHP files.

Furthermore, Mantis setting this header causes issues if it is already
set for the server (invalid header), and may have unwanted side effects
as described in 0021262.

This reverts the change implemented to resolve issue 0012881.

Fixes 0021262
mod - core/http_api.php Diff File

MantisBT: master 968f83a9

2016-09-01 10:30:18

dregad


Committer: vboctor Details Diff
Do not set HSTS header

Enabling HTTP Strict-Transport-Security should be a decision made by the
system administrator, and implemented at server level, probably
site-wide and not just for MantisBT's PHP files.

Furthermore, Mantis setting this header causes issues if it is already
set for the server (invalid header), and may have unwanted side effects
as described in 0021262.

This reverts the change implemented to resolve issue 0012881.

Fixes 0021262
mod - core/http_api.php Diff File

Issue History

Date Modified Username Field Change
2011-03-25 06:33 dhx New Issue
2011-03-25 06:33 dhx Status new => assigned
2011-03-25 06:33 dhx Assigned To => dhx
2011-03-25 06:34 dhx Status assigned => resolved
2011-03-25 06:34 dhx Changeset attached => MantisBT master 583cdbd8
2011-03-25 06:34 dhx Fixed in Version => 1.3.0-beta.1
2011-03-25 06:34 dhx Resolution open => fixed
2013-04-05 17:57 grangeway Status resolved => acknowledged
2013-04-05 17:57 grangeway Note Added: 0036462
2013-04-05 18:06 grangeway Relationship added related to 0015721
2013-04-06 03:44 dregad Status acknowledged => resolved
2013-04-06 07:20 grangeway Status resolved => acknowledged
2013-04-06 09:26 dregad Tag Attached: 2.0.x check
2013-04-06 09:26 dregad Status acknowledged => resolved
2013-10-18 16:42 atrol Product Version 1.3.0-beta.1 => 1.2.15
2014-09-23 18:05 grangeway Tag Detached: 2.0.x check
2014-12-08 00:33 vboctor Status resolved => closed
2016-09-01 10:26 dregad Relationship added related to 0021262
2016-09-05 01:18 vboctor Changeset attached => MantisBT master-1.3.x 2e7fac44
2016-09-05 01:19 vboctor Changeset attached => MantisBT master 968f83a9