Feature #22165

Allow custom configuration for HSTS settings

Added by Tomer Brisker about 5 years ago. Updated over 4 years ago.

Target version:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:


Cloned from

Description of problem:
Foreman/Satellite currently unconditionally sets the HSTS header to "Strict-Transport-Security: max-age=631152000; includeSubdomains", see

While generally a good idea, HSTS has the issue that browsers will refuse to talk unencrypted to the Satellite at all after seeing the HSTS header once.

However, we want /pub/ and /pulp/repos/…/custom/ to be available via HTTP too.
This is not a problem for yum/dnf/wget/curl, as those neither implement nor ever see the HSTS header from Foreman, but regular users quite often want to browse the repos with their browsers and that is not possible with HSTS on (as /pulp/repos/ requires a client cert from the Katello CA when accessed via HTTPS).

As HSTS works based on domains/hostnames, you cannot exclude /pub/ and /pulp/repos/ from it.

The best solution that comes into my mind would be allowing to disable and/or change the HSTS settings, so that the users at least can decide if they want HSTS or not (but still leave it on by default).

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. curl -I

Actual results:
Strict-Transport-Security: max-age=631152000; includeSubdomains

Expected results:
Depending on the settings

Additional info:
The error you see in Firefox is:
An error occurred during a connection to SSL peer was unable to negotiate an acceptable set of security parameters. Error code: SSL_ERROR_HANDSHAKE_FAILURE_ALERT

The error you see in Chrome is:
This site can’t provide a secure connection didn’t accept your login certificate, or one may not have been provided.
Try contacting the system admin.

Associated revisions

Revision dbdac61f (diff)
Added by Tomer Brisker about 5 years ago

Fixes #22165 - Allow disabling HSTS header

If a user browses to the Foreman server using HTTPS, HSTS headers will
prevent the browser from connecting to the server again using HTTP. This
adds a setting that allows disabling this header for users requiring
browser access to the server.

Revision 3abb8b1d (diff)
Added by Tomer Brisker about 5 years ago

Refs #22165 - Add installer support for disabling hsts


#1 Updated by The Foreman Bot about 5 years ago

  • Assignee set to Tomer Brisker
  • Status changed from New to Ready For Testing
  • Pull request added

#2 Updated by The Foreman Bot about 5 years ago

  • Pull request added

#3 Updated by Marek Hulán about 5 years ago

  • Legacy Backlogs Release (now unused) set to 330

#4 Updated by Anonymous about 5 years ago

  • % Done changed from 0 to 100
  • Status changed from Ready For Testing to Closed

Also available in: Atom PDF