search

Valian / docker-nginx-auto-ssl

Docker image for automatic generation of SSL certs using Let's encrypt and Open Resty
https://hub.docker.com/r/valian/docker-nginx-auto-ssl/
MIT License
411 stars 103 forks source link

enable HSTS be default #41

Open pperzyna opened 4 years ago

pperzyna commented 4 years ago

What do you think about enabling HSTS as the default?

Valian commented 4 years ago

Cześć @pperzyna ;)

HSTS is great, but it's also dangerous - you can't easily turn it off since it's saved locally in users' browsers. People who just want to have SSL doesn't really care about this until it's too late.

I've deliberately made it optional because I've seen many problems caused by turning it on too early. For example, if someone is just testing and misconfigured something (for example, not using volumes correctly), he can easily hit a weekly limit of 5 LE certificates renewals. Or someone would like to just "check if it works", but for some reason will decide to not use it. Enabled HSTS by default makes all of these situations hard to go back.

On the other hand, currently enabling it requires image rebuild. Maybe you could submit a PR introducing ENV variable making it possible to easily turn it on?