galene icon indicating copy to clipboard operation
galene copied to clipboard
verified publisher icon jech

Add an option for generating an HSTS header

Open jech opened this issue 11 months ago • 0 comments

We should add a config file option that causes Galene to automatically generate an HTTP Strict Transport Security (HSTS) header. Since use of HSTS causes some operational difficulties, this should be optional and disabled by default.

Stefan Vink of Radically Open Security makes the following recommendations:

  • Implement HTTP Strict Transport Security (HSTS) header with a long enough max-age directive to ensure that all future requests are made over HTTPS.
  • Include the includeSubDomains directive to protect all subdomains under the main domain, if appropriate.

He further gives the following advice:

  1. I would have it as an option (e.g. --hsts) to enable it when https is used. (when option --insecure it should not be set) And show in the console when running as https when HSTS is not enabled. Also this helps in the case galene is using a reverse proxy (nginx, caddy etc) and the latter is setting these headers. Mention enabling HSTS in the installation manual when going live with the site and about the potential risks of doing so e.g. during initial testing/dev phase you do might not want to use it.

  2. I agree. Default it is not used when using https that gives the sysadmin the option to choose this. Usually during testing you would disable it.

  3. When an HSTS policy is in place and the certificate expires:

Users are locked out from accessing the site because HSTS enforces HTTPS connections only. Browsers will (some browsers allow overriding this) not allow users to bypass security warnings.

Impact:

Visitors will see a "Your connection is not private" error with no option to proceed. This ensures users are protected from potential man-in-the-middle (MITM) attacks but may also lead to downtime until the certificate is renewed. Note that even if your certificate is expired and not using HSTS it is not recommended for users to proceed but the difference is that HSTS prevents them to access it as they usually cannot ignore the message.

I am somewhat concerned about no longer being able to connect to a site with an expired certificate, which would break access whenever something goes wrong with certificate renewal. Hence, using the option will not be recommended.

jech avatar Jan 20 '25 16:01 jech