uyuni-project · keichwa · Jul 22, 2025
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,4 @@
+- Documented how to disable HSTS in Administration Guide
 - Confidential Computing command updated in Administration Guide
   (bsc#1246638)
 - Fixed troubleshooting procedure about login timeout in Administration

diff --git a/modules/administration/pages/ssl-certs-hsts.adoc b/modules/administration/pages/ssl-certs-hsts.adoc
@@ -3,47 +3,64 @@
 
 HTTP Strict Transport Security (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security[HSTS]) is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking.
 
-{productname} allows enabling HSTS, to enable it for a {productname} Server:
+On {productname}, HSTS is enabled by default.
+If needed, you can disable it on the server following this procedure:
 
 
-.Procedure
-. Create new configuration file:
+
+.Procedure: Disabling HSTS on the server
+. On the server container host, as root, execute the following command to create a new configuration file with setting [literal]``max-age=0``:
+
 +
+
+[source,shell]
 ----
-mgrctl exec -- echo 'Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"' >/etc/apache2/conf.d/zz-spacewalk-www-hsts.conf
+mgrctl exec -- \
+  echo 'Header always set Strict-Transport-Security "max-age=0; includeSubDomains"' \
+  > /etc/apache2/conf.d/zz-spacewalk-www-hsts.conf
 ----
-+
+
 . Restart Apache with:
+
 +
+
+[source,shell]
 ----
 mgrctl exec -- systemctl restart apache2
 ----
 
 
-To enable it for {productname} Proxies:
+To disable it on proxies:
+
+.Procedure: Disabling HSTS on the proxies
+. On the server container host, as root, execute the following command to create a new configuration file with setting [literal]``max-age=0``:
 
-.Procedure
-. Create new configuration file, for example `/etc/uyuni/custom-httpd.conf`.
-. Add line:
 +
+
+[source,shell]
 ----
- `Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains`.
+echo 'Header always set Strict-Transport-Security "max-age=0; includeSubDomains' \
+  > /etc/uyuni/custom-httpd.conf
 ----
-. Run command:
+
+. Run the command:
+
 +
+
+[source,shell]
 ----
 mgrpxy install podman --tuning-httpd /etc/uyuni/custom-httpd.conf config.tar.gz
 ----
 
 [WARNING]
 ====
 When naming the new config file [literal]``<filename>.conf``, make sure it is loaded at the right time.
-For example, to override something defined in [literal]``spacewalk-www.conf`` the new file needs to be alphabetically after this file. 
+For example, to override something defined in [literal]``spacewalk-www.conf`` the new file needs to be alphabetically after this file.
 For more information about how Apache loads files, see https://httpd.apache.org/docs.
 ====
 
 
-[IMPORTANT] 
+[IMPORTANT]
 ====
 When HSTS is enabled while using the default SSL certificate generated by {productname} or a self-signed certificate, browsers will refuse to connect with HTTPS unless the CA used to sign such certificates is trusted by the browser.
 If you are using the SSL certificate generated by {productname}, you can trust it by importing the file located at `http://<SERVER-HOSTNAME>/pub/RHN-ORG-TRUSTED-SSL-CERT` to the browsers of all users.