HSTS Preload header configuration

Feature Discussion
1

While sympl already has a built-in ssl-only and hsts configuration option, the HSTS option is just and on/off switch and is limited in what it can achieve.
https://wiki.sympl.io/view/Website_Configuration_Reference#Enforcing_HTTPS

I’m working with several domains which are preloaded, meaning the HSTS header needs to comply with several rules, as per https://hstspreload.org.
The rules are as follows:

  1. Serve a valid certificate.
  2. Redirect from HTTP to HTTPS on the same host, if you are listening on port 80.
  3. Serve all subdomains over HTTPS.
  • In particular, you must support HTTPS for the www subdomain if a DNS record for that subdomain exists.
  • Note: HSTS preloading applies to all subdomains, including internal subdomains that are not publicly accessible.
  1. Serve an HSTS header on the base domain for HTTPS requests:
  • The max-age must be at least 31536000 seconds (1 year).
  • The includeSubDomains directive must be specified.
  • The preload directive must be specified.
  • If you are serving an additional redirect from your HTTPS site, that redirect must still have the HSTS header (rather than the page it redirects to).

If I set both ssl-only and hsts, I still don’t end up with a conformant header, and there is no way to configure sympl to give us one. Specifically I need to set:

  • The max-age must be at least 31536000 seconds (1 year).
  • The includeSubDomains directive must be specified.
  • The preload directive must be specified.

For example, you can see these omissions on the sympl.io domain: HSTS Preload List Submission Admittedly the lack of preloading may be intentional for this domain, but it nonetheless demonstrates the above.

I can see from the sourcecode that the hsts option just enables a hardcoded header (web/apache.d/ssl.template.erb · bookworm · sympl.io / Sympl · GitLab). Can this be made configurable in a future version of sympl so I can simply specify in the configuration that I want to includeSubDomains and preload, without having to resort to apache.d/ configuration files.

By the way, for those wanting to configure this now, the easiest way would be to use ssl-only and add the following file config/apache.d/hsts.conf (with the following contents) instead of using the built-in hsts config option.

<IfModule ssl_module>
    <IfModule headers_module>
      # Enable HSTS (mod_headers is required, 63072000 seconds = 2 years)
      # ONLY ENABLE PRELOADING IF YOU REALLY UNDERSTAND THE CONSEQUENCES
      # see: https://hstspreload.org/#submission-requirements
      Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    </IfModule>
  </IfModule>

Thanks

2

Absolutely. I’ll add an issue so that gets included when sympl-web-configure is rewritten.

3

Excellent, thank you