From 4410e8b71cae55972a61b251bd39979b9ff77d74 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Thu, 31 May 2018 19:04:06 +0100
Subject: [PATCH] Make sure STS and Expect-CT headers are set on redirect
 responses

---
 cookbooks/apache/templates/default/ssl.erb | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/cookbooks/apache/templates/default/ssl.erb b/cookbooks/apache/templates/default/ssl.erb
index 6835e8ea5..ffbbcbb5e 100644
--- a/cookbooks/apache/templates/default/ssl.erb
+++ b/cookbooks/apache/templates/default/ssl.erb
@@ -15,9 +15,6 @@ SSLStaplingErrorCacheTimeout 60
 SSLStaplingReturnResponderErrors off
 SSLStaplingFakeTryLater off
 SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_ocspcache(512000)
-<% if node[:ssl][:strict_transport_security] -%>
 
-Header setifempty Strict-Transport-Security "<%= node[:ssl][:strict_transport_security] %>" env=HTTPS
-<% end -%>
-
-Header setifempty Expect-CT "max-age=0, report-uri=\"https://openstreetmap.report-uri.com/r/d/ct/reportOnly\"" env=HTTPS
+Header always set Strict-Transport-Security "<%= node[:ssl][:strict_transport_security] %>" "expr=%{HTTPS} == 'on'"
+Header always set Expect-CT "max-age=0, report-uri=\"https://openstreetmap.report-uri.com/r/d/ct/reportOnly\"" "expr=%{HTTPS} == 'on'
-- 
2.43.2