💡 Feature request: Increase HSTS Max Age

[codkan]

Is your feature request related to a problem? Please describe.

HSTS (HTTP Strict Transport Security) max age is too short at 604800, as shown by SSL Labs.

Describe the feature you would like to be implemented

Default built-in HSTS for Redlib should be increased to at least 180 days as recommended by SSL Labs, NIST, etc.

Describe alternatives you've considered

I have tried setting and removing the HSTS age in both my nginx/ssl config files as well as my specific proxy-conf for redlib to no avail, so it seems baked into the code somewhere.

Additional context / screenshot

I host Redlib as well as a number of other services using SWAG which is built on NGINX. I attempted to set HSTS globally in my ssl.conf which worked fine for every site except redlib. But when removing it, redlib still seems to have it enabled somewhere that I cannot find.

[sigaloid]

You can set that in the args: https://github.com/redlib-org/redlib/blob/9a7da3abce7d3e57dbc9ec0b59296e307c4c4968/src/main.rs#L152-L160

[codkan]

@sigaloid My mistake, I had no idea. I'm sorry! Though, would you mind me asking how exactly I would go about increasing the max age in my Docker deployment? I'm not sure quite how to pass it along in the .env environment file

[sigaloid]

That's ok! It's not even documented anywhere, don't worry.

Do you use the Dockerfile or a Docker compose? If you clone the codebase, you can run it via our dev docker. Look around in various files with docker in them, where one of them specifies a command to be run ("./redlib"). Then you can just modify that file and use docker to run it.

[codkan]

@sigaloid I use a Docker Compose and a pretty basic one at that:

` services: redlib: image: quay.io/redlib/redlib:latest-arm restart: always container_name: "redlib" ports:

• 8888:8080 user: nobody read_only: true security_opt:
• no-new-privileges:true

  - seccomp=seccomp-redlib.json

  cap_drop:

• ALL networks:
• redlib

networks: redlib: enable_ipv6: true ipam: config:

• subnet: 2001:0DB8::/112 `

How would I increase the max age for HSTS via the docker compose? Is there a way to add command line arguments and/or flags?

[sigaloid]

Unfortunately, not directly, but what you can do is this:

Clone the codebase, modify the dev Dockerfile to add the new flag. Then build it. That will overwrite your current image tag with the new one. Then whenever there's a codebase update, git pull and rerun the build, then restart the compose file.

That being said I'm considering this to be a bug and will add a configuration option for it

[codkan]

Ah I see. Well, unfortunately I'm not sure the manual update process is worth it. Thank you so much for all your help though, greatly appreciate the project! That's great news; in that case, let me know when the configuration option is added :)