New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nginx: Enable HSTS when forceSSL is on #26681
Conversation
@kirelagin, thanks for your PR! By analyzing the history of the files in this pull request, we identified @globin, @domenkozar and @fadenb to be potential reviewers. |
@@ -170,6 +170,9 @@ let | |||
ssl_certificate ${vhost.sslCertificate}; | |||
ssl_certificate_key ${vhost.sslCertificateKey}; | |||
''} | |||
${optionalString vhost.forceSSL '' | |||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be definitely mentioned in both documention for forceSSL
and nixos release changelog. There might be also the use case for people wanting a redirect, but no HSTS
(yet), when testing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I agree that some people might want that. At the same time my point is that, if not for testing, compulsory redirect without HSTS is useless in terms of security.
How would you suggest to implement that? Have a completely separate config option? Have a separate config option, enabled by default by forceSSL
and mentioned in its documentation? Other ideas?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change is very dangerous. We thought about adding HSTS when we implemented forceSSL
but did not because it could break websites and should therefore be a conscious user choice. Including includeSubDomains
by default would also probably break other sites unexpectedly.
The only option I think is feasible to create a separate option to enable HSTS and maybe make max-age
and includeSubDomains
configurable.
Ok, in this case I’ll add a separate option and mention it in the documentation for |
It's very easy to lock users out of the website, I would never enable HSTS by default, but we can make it optional. |
Well, personally I do not think that HSTS is that scary, it does not pin a certificate and obtaining a valid certificate nowadays is incredibly easy. Anyway, I’m thinking about something like:
I am also inclined towards always sending the header, but setting |
Might it be a good idea to rename |
In case someone wonders, I still hope to get to this some time soon. |
(triage) @kirelagin, do you still plan to get back to this? :) (also, the PR title may need an update now that the objective has changed, something like “nginx: add an option to enable HSTS” maybe?) |
Yeah, that looks good!
Hmm, no I think people wouldn't expect that. You don't want to mess with the entire domain if not explicitly opted in. |
Given the complications around disabling HSTS, I wouldn't like to see it enabled implicitly (like by (Incidentally, are there any functions in nixpkgs for dealing with units of time? It would be cool to have Is anyone else working on this? If not, I will make a PR for About sending
|
Thank you for your contributions.
|
I would prefer this to be a seperate option rather than beeing included by default. |
No description provided.