feat(router): enable HSTS when enforceHTTPS is set #3866
Conversation
The The |
Hmm. I'm wondering if this should be hidden behind a feature flag or not, considering that this is an opt-in security enhancement. \cc @deis/core-maintainers |
I chose this to be triggered by |
This is great, I was just thinking about doing this yesterday! I'm with @bacongobbler, this should probably be behind a feature flag. Some user's may not want it and others may not understand it and break things if they decide to disable SSL. Maybe use these keys instead? Now, off to create a pull request for the Public-Key-Pins header :) |
Great suggestions @croemmich, updated. I've updated the default |
I also don't see a use case for disabling |
When browsers see the HSTS header on an HTTPS request then they rewrite all links for the current domain that point at HTTP resources to point to HTTPS resources. When /deis/router/enforceHTTPS is set, using HSTS avoids the extranneous 301 redirect to the HTTPS resource and prevents [some threats][1]. The HTTPS Strict Transport Security header mechanism is defined in [RFC-6797][2] [1]: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security [2]: https://tools.ietf.org/html/rfc6797
That sounds like the way to go. Code LGTM. This needs some manual testing IMHO to ensure |
Code LGTM. |
Tested, LGTM. |
feat(router): enable HSTS when enforceHTTPS is set
When browsers see the HSTS header on an HTTPS request then they rewrite
all links for the current domain that point at HTTP resources to point
to HTTPS resources. When /deis/router/enforceHTTPS is set, using HSTS
avoids the extranneous 301 redirect to the HTTPS resource and prevents
some threats. The HTTPS Strict Transport Security header mechanism
is defined in RFC-6797