code-gov-web icon indicating copy to clipboard operation
code-gov-web copied to clipboard

Published 20 hours ago • verified publisher icon GSA

Upgrade HSTS header

Open konklone opened this issue 8 years ago • 9 comments

First of all, it is super awesome that code.gov launched with HTTPS and HSTS. Thank you so much!

Even better would be to get code.gov's subdomains taken care of for perpetuity, which can be done by updating the HSTS header to be:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

More details can be found here, but this will let code.gov get preloaded into browsers, and will ensure that any subdomain gets enforced as HTTPS from the get go.

It's much easier to do this now than later, so I encourage swapping out the header before the site grows large. Thank you again for prioritizing HTTPS/HSTS support for launch!

konklone avatar Aug 08 '16 20:08 konklone

Thanks @konklone!

This is a CloudFront distro pointing to cloud.gov — would best practice be to set that header at the origin or the CDN level?

rossdakin avatar Aug 08 '16 20:08 rossdakin

I don't think CloudFront can set an HSTS header for you -- it has to be done at the origin level. Since there's already an HSTS header in place, it's clearly being set somewhere. My request is to modify its value.

konklone avatar Aug 08 '16 20:08 konklone

@dlapiduz, do you know how we can change this header? I assume it's in the cloud.gov nginx config; is that customizable?

rossdakin avatar Aug 08 '16 22:08 rossdakin

@rossdakin you can upload a custom nginx.conf file and add the header. CloudFront will just pass whatever you set: https://github.com/cloudfoundry/staticfile-buildpack/blob/master/conf/nginx.conf

dlapiduz avatar Aug 09 '16 13:08 dlapiduz

(you can add it to the root of the project)

dlapiduz avatar Aug 09 '16 13:08 dlapiduz

We're waiting on an update from federalist-support on setting the headers

okamanda avatar May 23 '17 20:05 okamanda

The Federalist issue is here: https://github.com/18F/federalist/issues/748

yozlet avatar May 23 '17 20:05 yozlet

Holding until 18F/federalist#748 is resolved. Let me know if you have any questions.

DanielJDufour avatar Feb 05 '18 23:02 DanielJDufour

@DanielJDufour The Federalist issue may never be resolved. It's an open issue, but there's no clear resolution.

If code.gov is otherwise preloadable, then I suggest we do it manually. There's an ongoing effort by DHS to collect .gov domains to be preloaded.

@boberlas Since the team wants to preload code.gov, but can't do it via Federalist right now, can we include this in the list we give to DHS per cyber.dhs.gov?

konklone avatar Feb 09 '18 20:02 konklone