Hi Wei, So while absearch was on 2.0.2, Strict-Transport-Security appears twice as a header (ex https://search.services.mozilla.com/__version__) and once for 404s . I was not aware that it was already configured and the security baseline check did not pass because it appeared twice. So I thought removing it in the codebase would be easiest/bothered the least amount of people, hence 2.0.3, but then realized the security baseline check still didn't pass because it wasn't there for 404s. Currently, I was thinking that the changes for 2.0.3 and the changes in the deployment configuration would allow the security baseline check to pass as it would only appear once and appear for 404s?
Bug 1702338 Comment 2 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Hi Wei, So while absearch was on 2.0.2, Strict-Transport-Security appears twice as a header (ex https://search.services.mozilla.com/__version__) and once for 404s . I was not aware that it was already configured and the security baseline check did not pass because it appeared twice. So I thought removing it in the codebase would be easiest/bothered the least amount of people, hence 2.0.3, but then realized the security baseline check still didn't pass because it wasn't there for 404s anymore. Currently, I was thinking that the changes for 2.0.3 and the changes in the deployment configuration would allow the security baseline check to pass as it would only appear once and appear for 404s?