code-gov-web
code-gov-web copied to clipboard
Upgrade HSTS header
First of all, it is super awesome that code.gov launched with HTTPS and HSTS. Thank you so much!
Even better would be to get code.gov's subdomains taken care of for perpetuity, which can be done by updating the HSTS header to be:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
More details can be found here, but this will let code.gov get preloaded into browsers, and will ensure that any subdomain gets enforced as HTTPS from the get go.
It's much easier to do this now than later, so I encourage swapping out the header before the site grows large. Thank you again for prioritizing HTTPS/HSTS support for launch!
Thanks @konklone!
This is a CloudFront distro pointing to cloud.gov — would best practice be to set that header at the origin or the CDN level?
I don't think CloudFront can set an HSTS header for you -- it has to be done at the origin level. Since there's already an HSTS header in place, it's clearly being set somewhere. My request is to modify its value.
@dlapiduz, do you know how we can change this header? I assume it's in the cloud.gov nginx config; is that customizable?
@rossdakin you can upload a custom nginx.conf file and add the header. CloudFront will just pass whatever you set: https://github.com/cloudfoundry/staticfile-buildpack/blob/master/conf/nginx.conf
(you can add it to the root of the project)
We're waiting on an update from federalist-support on setting the headers
The Federalist issue is here: https://github.com/18F/federalist/issues/748
Holding until 18F/federalist#748 is resolved. Let me know if you have any questions.
@DanielJDufour The Federalist issue may never be resolved. It's an open issue, but there's no clear resolution.
If code.gov is otherwise preloadable, then I suggest we do it manually. There's an ongoing effort by DHS to collect .gov domains to be preloaded.
@boberlas Since the team wants to preload code.gov, but can't do it via Federalist right now, can we include this in the list we give to DHS per cyber.dhs.gov?