Increase HSTS max-age to default to one year (#10564)

kubernetes · Oct 27, 2023 · 8c3aeaa · 8c3aeaa
1 parent 7e7001d
commit 8c3aeaa
Show file tree

Hide file tree

Showing 5 changed files with 5 additions and 5 deletions.
diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md
@@ -62,7 +62,7 @@ The following table shows a configuration option's name, type, and the default v
 |[http2-max-concurrent-streams](#http2-max-concurrent-streams)|int|128||
 |[hsts](#hsts)|bool|"true"||
 |[hsts-include-subdomains](#hsts-include-subdomains)|bool|"true"||
-|[hsts-max-age](#hsts-max-age)|string|"15724800"||
+|[hsts-max-age](#hsts-max-age)|string|"31536000"||
 |[hsts-preload](#hsts-preload)|bool|"false"||
 |[keep-alive](#keep-alive)|int|75||
 |[keep-alive-requests](#keep-alive-requests)|int|1000||

diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go
@@ -46,7 +46,7 @@ const (
 	// that tell browsers that it should only be communicated with using HTTPS, instead of using HTTP.
 	// https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
 	// max-age is the time, in seconds, that the browser should remember that this site is only to be accessed using HTTPS.
-	hstsMaxAge = "15724800"
+	hstsMaxAge = "31536000"
 
 	gzipTypes = "application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/javascript text/plain text/x-component"
 

diff --git a/test/data/cleanConf.expected.conf b/test/data/cleanConf.expected.conf
@@ -47,7 +47,7 @@ http {
 			listen_ports = { ssl_proxy = "442", https = "443" },
 
 			hsts = true,
-			hsts_max_age = 15724800,
+			hsts_max_age = 31536000,
 			hsts_include_subdomains = true,
 			hsts_preload = false,
 		})

diff --git a/test/data/cleanConf.src.conf b/test/data/cleanConf.src.conf
@@ -65,7 +65,7 @@ lua_shared_dict ocsp_response_cache 5M;
 		listen_ports = { ssl_proxy = "442", https = "443" },
 
 		hsts = true,
-		hsts_max_age = 15724800,
+		hsts_max_age = 31536000,
 		hsts_include_subdomains = true,
 		hsts_preload = false,
 	})

diff --git a/test/data/config.json b/test/data/config.json
@@ -25,7 +25,7 @@
 		"gzipTypes": "application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/javascript text/plain text/x-component",
 		"hsts": true,
 		"hstsIncludeSubdomains": true,
-		"hstsMaxAge": "15724800",
+		"hstsMaxAge": "31536000",
 		"keepAlive": 75,
 		"mapHashBucketSize": 64,
 		"maxWorkerConnections": 16384,