HTTP Strict-Transport-Security / How or where can I can I add the header?

[jahrsensetence]

Hi,

We use ratchet with TLS as websocket server (wss://) and so far it works very well. However, after a security screening we were told that it would be a good idea to use HTTP Strict-Transport-Security also for websockets.

Basically we would like to add the following header:

header("Strict-Transport-Security: max-age=63072000; includeSubDomains; preload");

Where could this happen?

Thanks.

[cboden]

You could have a class implementing \Ratchet\HttpServer\HttpServerInterface that decorates HttpServer and add this to the Response. See how WsServer does this.

[jahrsensetence]

Thank you for the idea! I will check this. Best, Ralf

---

From: Chris Boden @.> Sent: Sunday, May 2, 2021 2:19:15 PM To: ratchetphp/Ratchet @.> Cc: Dr. Ralf Jahr @.>; Author @.> Subject: Re: [ratchetphp/Ratchet] HTTP Strict-Transport-Security / How or where can I can I add the header? (#865)

You could have a class implementing \Ratchet\HttpServer\HttpServerInterface that decorates HttpServer and add this to the Response. See how WsServerhttps://github.com/ratchetphp/Ratchet/blob/master/src/Ratchet/WebSocket/WsServer.php#L117 does this.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/ratchetphp/Ratchet/issues/865#issuecomment-830800933, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AP53CYRRTEPHJZIFMZIGMKDTLU7MHANCNFSM4YVUJQMA.