fix: conditional HSTS via FORCE_HTTPS, safe for enterprise without certs
HSTS (Strict-Transport-Security) is now opt-in via FORCE_HTTPS=true. Without it enabled, no HSTS header is sent — safe for dev environments and enterprise deployments behind HTTP-only proxies without HTTPS certs. When FORCE_HTTPS=true, sends 'max-age=31536000; includeSubDomains'. Enterprise recommendation: set HSTS at nginx/ingress level instead. .env.example documents the risk: enabling without certs breaks site access.
This commit is contained in:
@@ -15,3 +15,7 @@ SESSION_SECRET_KEY=change-me-to-a-random-secret
|
||||
FEATURES__DATASET_REVIEW=true
|
||||
FEATURES__HEALTH_MONITOR=true
|
||||
APP_TIMEZONE=Europe/Moscow
|
||||
|
||||
# HSTS — включать только при настроенном HTTPS (nginx/ingress)
|
||||
# Включение без сертификатов сломает доступ к сайту!
|
||||
# FORCE_HTTPS=true
|
||||
|
||||
Reference in New Issue
Block a user