NCIOCPL / clinical-trials-search-print

Print service for clinical trial search

0 stars 1 forks source link

Enabler: Redirect root document to Cancer.Gov #88

Closed blairlearn closed 2 years ago

blairlearn commented 2 years ago

Set up a redirect of the root document

The redirect currently in place on the ALB for the / route is unable to implement HSTS. We'll need to set this up in the application's config.

Rules need to be applied in this order:

If a request comes in on HTTP, redirect to HTTPS.
On HTTPS responses, add a strict-transport-security header with a value of max-age=31536000; includeSubDomains; preload
If the request is for /, then redirect to https://www.cancer.gov.

As part of deploying this change, it will be necessary to remove the current ALB rule which handles the / path.

ESTIMATE TBD

Resources:

Feature: JIRA Ticket #
Mockups: Here goes a URL to or the name of the mockup(s) in inVision
References: URL to web site with examples
Web Page: Here goes a URL to an existing web page

Prerequisites

required dependency for identifying the problem, scope and then solution for this issue
[ ] Short Spike Description - Issue #9999

Sub-Tasks

[ ] Short Task Description - Issue #9999
[ ] Short Task Description - Issue #9999

Notes

Some complementary notes if necessary:

Here goes a quote from an email
Here goes whatever useful information can exist…
More notes, or technical nuances/direction

blairlearn commented 2 years ago

Somewhere in the system.webServer section, the rule should look something like this.

    <rewrite>
      <rules>
        <rule name="HTTP to HTTPS redirect" stopProcessing="true">
          <match url="(.*)" />
          <conditions>
            <add input="{HTTPS}" pattern="off" ignoreCase="true" />
          </conditions>
          <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
        </rule>
        <rule name="Redirect root" stopProcessing="true">
          <match url="^$" />
          <action type="Redirect" url="https://www.cancer.gov" />
        </rule>
      </rules>
      <outboundRules>
        <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
          <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
          <conditions>
            <add input="{HTTPS}" pattern="on" ignoreCase="true" />
          </conditions>
          <action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />
        </rule>

      </outboundRules>
    </rewrite>

IMPORTANT: Verify the Redirect root rule only fires when the connection is already HTTPS.