I was looking for a way to enable HSTS (HTTP Strict Transport Security).
I can modify the portal ood-portal.conf.erb and get it working that way but that doesn’t seem like a reliable solution when doing updates to new versions.
Is there a place that I am not seeing where I can enable HSTS and if not can this be add as an option that can be enabled via the ood_portal.yml file?
Since OnDemand doesn’t currently provide a way for arbitrary Apache config items, an alternative to modifying ood-portal.conf.erb would be to set the header globally. If no services being served by that Apache instance ever will require http and can always be https, or the only purpose of this Apache instance is to serve OnDemand, you could try adding a file like /opt/rh/httpd24/root/etc/httpd/conf.d/strict_security_transport.conf with the contents:
Header set Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Meanwhile I’m going to look at a modification ensuring this is set by default in a 1.8 patch release this month (but that would specifically apply to the OnDemand VirtualHost.