Skip to content

chore: Update NGINX_HSTS_MAX_AGE for edxapps. ENT-11139 #294

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
macdiesel wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore: Update NGINX_HSTS_MAX_AGE for edxapps. ENT-11139 #294

macdiesel wants to merge 1 commit into from

Conversation

@macdiesel
Copy link
Member

@macdiesel macdiesel commented Nov 6, 2025

Make sure that the following steps are done before merging:

  • Have a Site Reliability Engineer review the PR if you don't own all of the services impacted.
  • If you are adding any new default values that need to be overridden when this change goes live, update internal repos and add an entry to the top of the CHANGELOG.
  • Performed the appropriate testing.

Copilot AI review requested due to automatic review settings November 6, 2025 19:53
Copilot AI reviewed Nov 6, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enhances the HSTS (HTTP Strict Transport Security) configuration across all nginx site templates to align with HSTS preload best practices.

  • Standardizes HSTS headers to include includeSubDomains and preload directives across all templates
  • Increases the default NGINX_HSTS_MAX_AGE from 1 year (31536000 seconds) to 2 years (63072000 seconds)
  • Replaces hardcoded max-age values with the configurable {{ NGINX_HSTS_MAX_AGE }} variable in program_console.j2 and learner_portal.j2

Reviewed Changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated no comments.

Show a summary per file
File Description
playbooks/roles/nginx/defaults/main.yml Increases default HSTS max-age from 1 year to 2 years
playbooks/roles/nginx/templates/edx/app/nginx/sites-available/xqueue.j2 Adds includeSubDomains and preload directives to HSTS header
playbooks/roles/nginx/templates/edx/app/nginx/sites-available/prospectus.j2 Adds preload directive to HSTS header
playbooks/roles/nginx/templates/edx/app/nginx/sites-available/program_console.j2 Replaces hardcoded max-age with variable and adds preload directive
playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2 Adds preload directive to HSTS header
playbooks/roles/nginx/templates/edx/app/nginx/sites-available/learner_portal.j2 Replaces hardcoded max-age with variable and adds preload directive
playbooks/roles/nginx/templates/edx/app/nginx/sites-available/insights.j2 Adds preload directive to HSTS header
playbooks/roles/nginx/templates/edx/app/nginx/sites-available/edx_notes_api.j2 Adds preload directive to HSTS header
playbooks/roles/nginx/templates/edx/app/nginx/sites-available/conductor.j2 Adds includeSubDomains and preload directives to HSTS header
playbooks/roles/nginx/templates/edx/app/nginx/sites-available/cms.j2 Adds preload directive to HSTS header

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@macdiesel