I understand the worry that enabling HSTS by default and automatically could cause unexpected troubles to users, but I think Dokku could go a bit further in enabling “the operator to use HSTS”.
Currently, the only (as far as I know) way to enable HSTS on Dokku-level is to customize Nginx config by providing a custom nginx.conf.sigil template that would include the add_header Strict-Transport-Security directive if SSL is enabled for the application.
However, while this could work well for buildpack and Dockerfile-based deploys, it quickly becomes troublesome when deploying an existing Docker image. For example, on my personal website, I run the default, unmodified image of Ghost CMS, and using the above solution would mean the necessity to re-package the vanilla image to add custom Nginx template. Possible, but not exactly user-friendly.
Furthermore, when it is wanted to enable HSTS to all apps running in Dokku, it is suddenly required to add the custom Nginx configuration file into every application’s repository, and perhaps undertake additional steps for Dockerfile-based deploys (I’m not too sure as I don’t use this feature of Dokku, but I remember reading in the documentation something about the necessity of deleting the Nginx configuration file later, for security reasons). Again, possible but at this point, quite troublesome and somewhat annoying.
Another solution would be using a simple plugin – in fact, I was thinking of just forking a completely different plugin that alters Nginx configuration and simply adjusting it to my needs. However, I quickly realized that I’m not quite sure how to ensure that this header is only appended to requests that reached the server through HTTPS…
I think Dokku could be slightly more helpful in regards to this and while it probably shouldn’t enable HSTS by default for reasons mentioned above, I think it would be a welcome addition to have a new command (perhaps dokku certs:hsts <app> [--enable --disable]?) that would alter generating of the Nginx configuration file in such a way that if the administrator wishes to have HSTS enabled for an application, he or she can do so easily and quickly.
Repeating this task for other applications then just involves re-running the same command with a different application name.
I wish I had the skill to implement this myself, but until then, all I can do is ask you for your kind consideration. Thank you for reading through this, and thank you even more for the amazing work you’ve done on Dokku!
The text was updated successfully, but these errors were encountered:
I think it's time to set this, and even make hsts default. We've been striving for the most secure setup by default, and while hsts is sometimes annoying to disable, I think the tradeoff is worth it. Thoughts @michaelshobbs?