Add support for including a Strict-Transport-Security header (for use only when a proxy or load balancer is handling TLS/SSL)#85
Open
taniwallach wants to merge 1 commit intodrdrew42:mainfrom
Conversation
This header is meant to force browsers to only contact site via TLS/SSL
("https"). Using this header is a commonly recommended security
practice, but is dangerous should the site have any need to work over
plain (port 80) HTTP.
The value for the header is provided in render.conf as a string value
called HSTS_HEADER, and when that value is not provided (or is "false"
for Perl purposes) no Strict-Transport-Security header will be set.
No default value is being provided in render.conf.dist so the header will
not be enabled by accident.
The header should only be used on a server which is available via a proxy
or load balancer which has a valid SSL certificate and handles the TLS/SSL
level (and which will continue to do so for the long-term).
Contributor
Author
|
To test you would want to be using the renderer behind something doing the SSL work as a proxy. into It has been provisionally tested for a renderer running as a target to which the AWS Elastic Application Load Balancer is sending requests for processing, where the ELB is handling the TLS work. Now that this header is being provided, I hope to soon be able to open the address to incoming requests from additional sources. Until now the security team has insisted on it only be available from a very restricted white list of IP addresses. Once the "server" is public, the result of the code in this PR would be something which can be checked on that site. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add support for including a
Strict-Transport-Securityheader.This header is meant to force browsers to only contact site via TLS/SSL ("https"). Using this header is a commonly recommended security practice, but is dangerous should the site have any need to work over plain (port 80) HTTP.
The value for the header is provided in
render.confas a string value calledHSTS_HEADER, and when that value is not provided (or isfalsefor Perl purposes) noStrict-Transport-Securityheader will be set.No default value is being provided in
render.conf.distso the header will not be enabled by accident.The header should only be used on a server which is available via a proxy or load balancer which has a valid SSL certificate and handles the TLS/SSL level (and which will continue to do so for the long-term).
Note: It could be that some proxy setups could add the header at the proxy, but the AWS Elastic Application Load Balancer does not have the option to add this header, but can provide SSL termination, so the header needs to be added on the "back end" (in our case the Standalone renderer).