Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTP Strict Transport Security (HSTS) header support is not conform spec #2122

Closed
sindlar opened this issue Jul 20, 2018 · 0 comments
Closed

HTTP Strict Transport Security (HSTS) header support is not conform spec #2122

sindlar opened this issue Jul 20, 2018 · 0 comments
Labels
3 - in progress Someone is working on this ticket t:core Issues related to the akka-http-core module
Milestone
10.1.4

Comments

@sindlar
Copy link
Contributor

sindlar commented Jul 20, 2018
edited
Loading

HSTS support in akka-http is not conform spec:

  • Trailing semicolons are not supported; see here for an occurrence of this bug in the wild.
  • A fixed order of directives is assumed.

See below for a summary of the HSTS header definition.

HSTS header definition

The HSTS spec, Section 6 defines the HSTS header value through the following ABNF syntax:

     Strict-Transport-Security = "Strict-Transport-Security" ":"
                                 [ directive ]  *( ";" [ directive ] )
     directive                 = directive-name [ "=" directive-value ]
     directive-name            = token
     directive-value           = token | quoted-string

From the ABNF spec, Section 2, the following parts are relevant:

   *rule
      The character "*" preceding an element indicates repetition. The
      full form is "<n>*<m>element" indicating at least <n> and at most
      <m> occurrences of element. Default values are 0 and infinity so
      that "*(element)" allows any number, including zero; "1*element"
      requires at least one; and "1*2element" allows one or two.
   [rule]
      Square brackets enclose optional elements; "[foo bar]" is
      equivalent to "*1(foo bar)".

Thus, the HSTS header value syntax can be rewritten to

     Strict-Transport-Security = "Strict-Transport-Security" ":"
                                 0*1( directive )  0*∞( ";" 0*1( directive ) )

In words, this means the value of the HSTS header has

  • an optional directive,
  • followed by any number (0 to infinity) of the following successive elements
    • semicolon
    • an optional directive

In addition to this syntax, the HSTS spec, Section 6.1 imposes some requirements, summarized below insofar as relevant to this issue:

  • The order of appearance of directives is not significant.
  • All directives MUST appear only once in an STS header field. Directives are either optional or required, as stipulated in their definitions.
  • Unrecognized directives must be ignored.
  • The 'max-age' directive is REQUIRED.
  • The 'includeSubDomains' directive is OPTIONAL.
sindlar pushed a commit to sindlar/akka-http that referenced this issue Jul 20, 2018
Implement HSTS header support conform spec akka#2122
0c10c99
@sindlar sindlar mentioned this issue Jul 20, 2018
Merged
@johanandren johanandren added 3 - in progress Someone is working on this ticket t:core Issues related to the akka-http-core module labels Jul 25, 2018
raboof pushed a commit that referenced this issue Aug 17, 2018
@sindlar @raboof
Implement HSTS header support conform spec #2122 (#2123)
9cf1946
@raboof raboof added this to the 10.1.4 milestone Aug 17, 2018
@raboof raboof closed this as completed Aug 17, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 - in progress Someone is working on this ticket t:core Issues related to the akka-http-core module
Projects
None yet
Milestone
10.1.4
Development

No branches or pull requests
3 participants
@raboof @johanandren @sindlar