nebari icon indicating copy to clipboard operation
nebari copied to clipboard
verified publisher icon nebari-dev

HSTS enablement communication and migration for next release

Open Adam-D-Lewis opened this issue 2 months ago • 3 comments

Context

We've added HSTS (HTTP Strict Transport Security) support to Nebari in https://github.com/nebari-dev/nebari/pull/3165, which will be enabled by default for cloud deployments with valid certificates (Let's Encrypt or existing certs).

Tasks Before Next Release

1. User Communication

Explain default behavior:

  • Enabled by default: Cloud providers (AWS/GCP/Azure) with lets-encrypt or existing certificates
  • Disabled by default: local provider or selfsigned certificates
  • User override: Users can explicitly configure ingress.hsts in nebari-config.yaml

2. Configuration Migration

  • [ ] During upgrade process, prompt users to add HSTS config explicitly to their nebari-config.yaml
  • [ ] Allow users to decline if they want
  • [ ] If accepted, add configuration block: 
    ingress:
  hsts:
    enabled: true
    max_age: 31536000  # 1 year recommended for production
    include_subdomains: true
    preload: false

3. User Guidance

  • [ ] Provide guidance on testing HSTS before increasing max_age
  • [ ] Explain the progression: 300s (initial) → test → 31536000 (production)
  • [ ] Document browser HSTS clearing procedures if needed

Related Files

  • src/_nebari/stages/kubernetes_ingress/__init__.py
  • src/_nebari/stages/kubernetes_ingress/template/modules/kubernetes/ingress/hsts-middleware.tf
  • src/_nebari/upgrade.py

Adam-D-Lewis avatar Oct 23 '25 19:10 Adam-D-Lewis

@Adam-D-Lewis what are we using as the default max_age for HSTS? I’m thinking about the case where a user deploys a production Nebari instance, browsers cache HSTS, and later they tear it down and redeploy. If the new deployment has any TLS/ingress misconfiguration (or temporary self-signed certs), the long max_age could cause browsers to hard-fail connections for that domain.

Are we starting with a low value (e.g. 300s) by default, or going straight to something like 1 year?

viniciusdc avatar Nov 13 '25 13:11 viniciusdc

I thought about having it go for just a short amount of time like 5 minutes, but it's set to a year currently. In the case that they misconfigure something, they can set the max age to zero in order to get the browser to forget the previous hsts configuration

Adam-D-Lewis avatar Nov 13 '25 14:11 Adam-D-Lewis

Underfull, I didn't know it was possible. I don't see any issues then with the suggested approach above.

viniciusdc avatar Nov 13 '25 15:11 viniciusdc