问题
I have the following handlers section in my app.yaml:
handlers:
- url: /(robots\.txt|sitemap\.xml)
static_files: \1
upload: (robots\.txt|sitemap\.xml)
secure: always
http_headers:
Strict-Transport-Security: 'max-age=63072000; includeSubDomains; preload'
- url: /.*
script: main.app
secure: always
http_headers:
Strict-Transport-Security: 'max-age=63072000; includeSubDomains; preload'
and another subdomain, served by the another submodule (static.yaml) has the following:
handlers:
- url: /
static_dir: files
secure: always
http_headers:
Access-Control-Allow-Origin: '*'
Strict-Transport-Security: 'max-age=63072000; preload'
I was able to deploy static.yaml without any issues to the appengine:
$ appcfg.py update static.yaml
12:48 PM Host: appengine.google.com
12:48 PM Application: XXXXXX; module: static; version: 1
12:48 PM
Starting update of app: XXXXXXXX, module: static, version: 1
12:48 PM Getting current resource limits.
12:48 PM Scanning files on local disk.
[...]
[...]
12:49 PM Checking if updated app version is serving.
12:49 PM Completed update of app: XXXXXX, module: static, version: 1
whereas, when I try to update the app.yaml configuration, I get:
$ appcfg.py update app.yaml
12:48 PM Host: appengine.google.com
Usage: appcfg.py [options] update <directory> | [file, ...]
appcfg.py: error: Error parsing .\app.yaml: Unexpected attribute "http_headers" for mapping type script.
in ".\app.yaml", line 31, column 1.
I understand that it means I'd have to handle HSTS configuration in my python script itself. But, I have ~10 handlers in the main.app interface. Instead of updating each of those to add the STS header, is there some alternative to do so at app.yaml level itself?
Checking the app.yaml reference on GAE, there is no mention of restriction of http_header directive in script type mapping.
回答1:
You can use app.yaml to control HTTP headers for static file handlers and not dynamic handlers. You would need to set the header within your app code.
回答2:
As the doc: https://cloud.google.com/appengine/docs/flexible/nodejs/using-custom-domains-and-ssl
You cannot use Strict-Transport-Security headers unless your domain is whitelisted. To place your domain in the whitelist, contact ...
UPDATE
As of 2018, custom domains don't need to be whitelisted. In other words, HSTS headers are not stripped out anymore.
回答3:
I was looking over http headers in app.yaml today and saw this. It appears to be related to your issue.
In addition, the header Strict-Transport-Security is removed from responses served from any domains other than *.appspot.com.
https://cloud.google.com/appengine/docs/python/how-requests-are-handled#Python_Responses
来源:https://stackoverflow.com/questions/39544193/adding-hsts-headers-in-app-yaml-google-app-engine