Open junkurihara opened 10 months ago
paulocoghi
commented
10 months ago Looking into the security headers on Traefik documentation and examples (here), as well as this user suggestion, this could be one idea:
[http.exampleContext]
[http.exampleContext.security.headers]
forceSTSHeader = true
stsIncludeSubdomains = true
stsPreload = true
stsSeconds=15552000But I don't like the idea of forceSTSHeader but, instead, something simpler like STSHeader
junkurihara
commented
10 months ago Hi Paulo, thanks!
I think it makes sense. max-age (seconds), include_subdomains and preload need to be explicitly specified. But rpxy should enable HSTS only when the HSTS directive (e.g., [experiments.hsts]?) exists.
junkurihara
commented
10 months ago Also IMHO, HSTS does not need to be controlled separately for each backend applications. I mean it should be a global option for rpxy to keep the config file as simple as possible.
Or should we need such a flexibility for the settings of backend applications?
Gamerboy59
commented
3 months ago Or should we need such a flexibility for the settings of backend applications?
Except for legacy compatibility, I see no benefit in per upstream configuration. HSTS is on its way to be the standard and a global configuration ensures this uniform security policies across all backend applications.
akostadinov
commented
2 months ago Probably as a first step this can be enabled whenever https redirection is configured. Not sure about stsIncludeSubdomains though. Maybe that deserves a separate upstream option. It might be on by default, that's fine in case you believe this should be the standard. But other than that, whether you add a new global option or a new per-upstream option, the complexity of configuration is the same. But flexibility of the configuration is much higher when per-upstream.
RFC: https://datatracker.ietf.org/doc/html/rfc6797
Any idea of a configuration directive specifying HSTS for an app in TOML file?