There should be a way to set HSTS headers

[CyBeRoni]

It would be incredibly nice for TLS-enabled Zotonic websites to be able to set an HSTS (HTTP Strict-Transport-Security) headers.

The header should have a configurable max age and allow configuring other directives (such as includeSubDomains and preload) as required. If enabled, it should be included on every response served over HTTPS (taking into account possible TLS-offloading proxies.)

See also https://tools.ietf.org/html/rfc6797.

[ddeboer]

Oddly enough, the RFC mentions only two directives, includeSubDomains and max-age; preload is only mentioned by OWASP.

We usually have a TLS terminator in front of Zotonic, in which case mod_ssl is not enabled. So either we add this to a separate module (other than mod_ssl) or we document that when a TLS terminator is used, setting the Strict-Transport-Security header should be done in that endpoint instead.

[mworrell]

I am redoing mod_ssl a bit. My plan is to make it aware of any SSL terminator proxies in front of the site. In that case we can add these headers to mod_ssl, just like the secure flags for the cookies.

[mworrell]

BTW I will need a way to see if the request originated via SSL or not. Is there any information added in haproxy (or other SSL terminators) to derive this?

[CyBeRoni]

RFC7239 defines such a thing.

[ddeboer]

Exactly: what used to be X-Forwarded-Proto: https has now become Forwarded: proto=https. So then the logic becomes simple: when mod_ssl is enabled, set the Strict-Transport-Security header either

• if the current requests is over HTTPS
• or if Forwarded: proto=https is set.

The includeSubDomain, preLoad and max-age should be configurable from the mod_ssl settings in the admin, with an (already existing) fallback to zotonic.config values.

[mworrell]

Merge the changes in #2297 into master