search

virtkick / http-master

versatile front end http service with reverse proxy
MIT License
139 stars 17 forks source link

incorporate Strict Transport Security #27

Open Nowaker opened 10 years ago

Nowaker commented 10 years ago

Possible HTTP headers:

Strict-Transport-Security: max-age=10886400
Strict-Transport-Security: max-age=10886400; includeSubDomains

This should be sent both on non-SSL responses (e.g. redirects) and, what's interesting, SSL responses.

https://www.owasp.org/index.php/HTTP_Strict_Transport_Security

stephenjamieson commented 9 years ago

Any chance this will get added?

Rush commented 9 years ago

Actually you can add this header manually in latest http-master through the use of https://github.com/encharm/http-master#addheader Perhaps this could be added as an option to ssl with a key of strictSecurity that is set per SNI/host ? Does this make sense to you?

stephenjamieson commented 9 years ago

When I tried this it only sent the header to the backend.

Nowaker commented 8 years ago

Perhaps this could be added as an option to ssl with a key of strictSecurity that is set per SNI/host?

As mentioned in the original report, this header needs to be present with both HTTP and HTTPS responses. This setting would be per domain/wildcard globally, not port then domain. Approach 1:

hsts: {
  'example.com': 60000,
  'example.com': true, // Use default value of 10886400
  'example.com: [60000, 'includeSubDomains'], // Add arbitrary HSTS parameter
  'example.com: [60000, 'includeSubDomains', 'preload'], // Add more parameters
  'example.com: [60000, 'abcd'], // Make it flexible for 
  '*.example.com': 60000, // Automatically add includeSubDomains
  '*.example.com': true, // Use default value + add includeSubDomains
  '*.example.com: [60000, 'preload'], // Explicit list of parameters, don't add includeSubDomains
}

Approach 2 is to enable HSTS globally. In such a case every domain that has an unexpired certificate (#113) would automatically have HSTS enabled. An entry for HSTS would be added to every domain in cert-scan output. Wildcard domains would automatically get includeSubDomains. This is a more common sense approach I lean towards.

'example.com': {
  'key': '...',
  'cert': '...',
  'hsts': 'max-age=10886400'
},
'*.example.com': {
  'key': '...',
  'cert': '...',
  'hsts': 'max-age=10886400; includeSubDomains'
}

However, HSTS should be off by default and enabled by a deliberate and concious decision. Real crap hits the fan in case of future HSTS misconfiguration. Once HSTS is enabled and actual visitors open a page with HSTS in effect, future misconfiguration of HSTS locks these visitors out of the website for the max-age time if SSL certificate is not renewed on time and removed. The only way to work it around is to use a different browser or perform manual steps.

Warning: spell is includeSubDomains with capital D.

greyltc commented 6 years ago

would love to see this get introduced somehow.

hsts support is the difference between an A and an A+ rating on https://www.ssllabs.com/ssltest