Hello!
Working with Apache 2.4.
I wanted to configure an https host with HSTS:
<VirtualHost *:443>
[...]
Header set Strict-Transport-Security "max-age=31556952"
<Directory "/var/www/...">
Require all granted
[...]
</Directory>
[...]
</VirtualHost>
This works fine. However as soon as I require HTTP authentication on
apache level, the Header directive stops working for unauthenticated
users. Even if I provide "early" after the directive:
Header set Strict-Transport-Security "max-age=31556952"
<Directory "/var/www/...">
Require valid-user
AuthType ...
[...]
</Directory>
or
Header set Strict-Transport-Security "max-age=31556952" early
<Directory "/var/www/...">
Require valid-user
AuthType ...
[...]
</Directory>
Neither provides the HSTS header to an unauthenticated user. Is there
a simple way to inject the HSTS (or any) header to unauthenticated
users?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
